Accelerated throughput synchronized word stream cipher, message authenticator and zero-knowledge output random number generator

ABSTRACT

Systems and methods are disclosed, especially designed for very compact hardware implementations, to generate random number strings with a high level of entropy at maximum speed. For immediate deployment of software implementations, certain permutations have been introduced to maintain the same level of unpredictability which is more amenable to hi-level software programming, with a small time loss on hardware execution; typically when hardware devices communicate with software implementations. Particular attention has been paid to maintain maximum correlation immunity, and to maximize non-linearity of the output sequence. Good stream ciphers are based on random generators which have a large number of secured internal binary variables, which lead to the page synchronized stream ciphering. The method for parsed page synchronization which is presented is especially valuable for Internet applications, where occasionally frame sequences are often mixed. The large number of internal variables with fast diffusion of individual bits wherein the masked message is fed back into the machine variables is potentially ideal for message authentication procedures.

FIELD OF THE INVENTION

The present invention relates to the field of cryptography, and, inparticular random number generation, synchronized stream ciphersequences, and the generation of message authenticating coding.

BACKGROUND OF THE INVENTION

Conventional prior art random number generators, stream ciphers, andmessage authentication and associated technologies are described in thefollowing documents:

-   Intel, U.S. Pat. No. 5,706,218, Random Number Generator;-   M-Systems, US Patent 2004/0205095, Random Number Slip and Swap    Generators;-   Maurer, U. M., “A Universal Statistical Test for Random Bit    Generators”, Journal of Cryptography, Volume 5 Number 2, 1992, pages    89-106, hereinafter “Maurer”;-   Specification No. TS 102 221 V3.0.0F-06921 published by the European    Telecommunications Standards Institute 2000, hereinafter “ETSI”;-   Texas Instrument's OMAP Preliminary User's Manual Security Features,    January 2001, particularly FIG. 7-15, hereinafter “OMAP”;-   Rueppel, R. A., Analysis and Design of Stream Ciphers,    Springer-Verlag, Berlin, 1986, pages 117, 186-187 and 216-218,    hereinafter “Rueppel”,-   The battery of George Marsaglia's latest tests for randomality of    generated binary sequences can be found on the following Hong Kong    University website: ftp://ftp.csis.hku.hk/pub/random/source,    hereinafter, “Marsaglia”.

SUMMARY OF THE INVENTION

This invention describes a compact hardware and compatible firmwaremethod for generating quality cryptographic strings of unpredictablebinary symbols, i.e., random numbers, with modifications to encryptbinary clear text into cipher text, and to decipher the cipher text witha similar device or firmware emulation thereof; and with furthersuitable modifications to enable a rigorous method for assuring messageauthentication, designed to replace present systems which have beensuccessfully attacked and proved inadequate.

The terms random and pseudo-random, or (p)random are usedinterchangeably, and are often replaced with the words “seeminglyrandom” wherein real random signifies a state of entropy(unpredictability) caused by uncorrelated unpredictable phenomena.Pseudo-randomness signifies a condition wherein a known device with aknown initial input has a determined state at a given interval. Realrandom number generators are typically random non-deterministic devices,driven by a random physical phenomenon. Stream cipher generators aredeterministic devices, generating sequences which are generated by adevice operative to use a secret key, wherein the output of the deviceis easily decipherable only by the same or equivalent device operativeto use the same secret initializing key. In such transmission,communicant devices, e.g., satellites and ground transmitters, bothsender and receiver typically share the same secret key for acryptographic stream cipher transmission session. In a typicalsituation, an adversarial or chance observer or testing device cannotdifferentiate between a random and a pseudo random sequence.

Whether a string of binary bits or words is purely random, coloredrandom, or pseudo random is often philosophical, often ambiguous, and isgenerally dependent on the observers knowledge of the generatingfunction and the state of the variables. Using the expression,“seemingly random” evades the semantic problem, as a given word variableis pseudo random to a random oracle privileged to know internal secrets,and is conversely unpredictably random to a non-privileged observer,entitled, at most to see a sequence of generated “seemingly”unpredictable words. In many instances it is conventional to use randomas a generic description of all “seemingly random” strings, wherein thecontext defines more accurately the unpredictable status.

INTRODUCTION

There is a stark similarity to the design criteria of a stream cipherand unpredictable random number generator and to Shannon's proof that a“one time pad” is the only perfectly safe encryptor. In the Vernam“one-time pad” cipher, a “securely generated” random number binary key,confidentially kept by the sender and receiver, which is exactly thelength of the message is used both to encrypt (by the sender) and todecrypt (by the receiver of the message). Each bit of the key is XORedto clear text data to generate cipher text which is intractablydiscernable to an observer of the cipher text, as we assume that anadversary could never guess a long random number. As the recipient ofthe cipher text knows the secret full length “key” used by theenciphering entity, the receiver decrypts the cipher text by using theidentical binary sequence which the receiver XORed bit by bit to thecipher text.

The Vernam cipher secret key had to be unpredictable to the most astuteobserver; the authentic criterion for testing the output of randomnumber generators. It is herein assumed that the ZK-Crypt asymptoticallyapproaches “Vernam” infallibility. In a typically strong systemenvironment, using both the native and generating an obscure extensionof the initializing key, working in the most current consuming modes,the user typically confidentially assume that brute force compromisingof the key entails large amounts of clear and cipher text Samples from agiven session, and well over 2¹⁹⁰ individual trial attacks to divulgethe initial conditions. Exhaustive search attacks with a work factor of2¹²⁰ are considered to be intractable with conventional computing, e.g.,future attacks may involve quantum or DNA computers.

In conventional cryptography and in the embodiments of this invention,the one-time long length key, is a derivation of a shorter secret key,to generate an encryption key, with a sequence whose length is muchlonger than the clear text data. The process is typically the fastestmethod available for encrypting long sequences, e.g., for digitizedbroadcast television.

It is well known that there is more “local entropy”, in Many to One LFSRsequences, (see the Glossary) with more than one pair of taps. Theserial outputs of Many to One and One to Many LFSRs are equivalent. Tothe best of our knowledge, no prior art implementations used all or anyof the parallel outputs of One to Many feedback shift registers.

With One to Many FSRs, it is far more obvious that as more XORs areinterspersed between cells, the intra-word XORing “scrambles” bits ofjuxtaposed words (as opposed to the far weaker inter-word changes ofMany to One FSRs).

Changing an original Many to One design which was compliant to the NISTtest suite when Sampled once every seven primary clocks to the One toMany configuration, produced similar tested results when Sampled onceevery three primary clocks.

The design criteria for the ZK-Crypt system were very rigorous.

The hardware device had to be:

fast, one clock cycle had to produce one result word for transparentdownloading of encrypted digital content over noisy transmission lines,e.g., mobile telephones;

fast for strong message authentication to assure tamper-resistance tostored or transmitted files, financial transactions, long documents,especially to enable booting after quick validation of the operatingsystem;

a very low power consumer, deployable with standard cell semiconductorlogic; compact in size, not much larger than an efficient quality randomnumber generator, to be economically feasible for universal inclusion insmart cards, memory controllers, and general purpose CPUs, controllers,and number crunchers;compatible with the most rigorous tests and rules of compliance for eachof the three principal security functions and, not least;based on an easily recognizable secure architecture, including provableand innovative elements, based on non-esoteric principles to assureearly acceptance by cryptographers and standard committees;an efficient RNG, random number generator; SCE, stream cipherencryptor/decryptor; and not least, a versatile Message AuthenticationCoder, MAC, to replace the SHA-1 method which is under constant attack.The firmware implementation had to be available for preliminary:

-   -   testing of principals;        generation of test vectors for the hardware implementation;        preparation of drivers for testing modes of use;        re-checking compliance with standards; and not least,        to enable immediate distribution for use on existing systems.

The results were gratifying:

At each single stepped clock cycle (after initialization) the device:

outputs 32 bits of stream cipher en/decoded cipher text, or

outputs an unpredictable Random Number 32 bit string, or

-   -   in the first phase digests 32 bits of Message in virtually any        length binary file and then Outputs 32 bits of MAC Signature at        each clock, wherein;

In the most economic single step mode the unit passes the NIST suite ofRNG tests, Marsaglia's DieHard suite, Maurer's suggested tests, andproprietary specific to design tests.

The device is considered Zero-Knowledge, in that an adversary only hasaccess to an output that is “firewall separated” by a hash matrixpermutation, four odd-number complementors, at least one correlationimmunizing, non-singular maximizing barrier to any of the internal threetiers of non-linear feedback generators, each tier with apseudo-Brownian reverse orientation correlation and bias eliminationpermutation combiner, driven by two non-correlated synchronized clocks.

Note that in applications wherein at least one of two communicantsexecutes the ZK-Crypt methods in software, the pseudo-Brownian reverseorientation is typically replaced by simple left or right handrotations, with the commensurate loss of complexity. (See Rotate and XORTier Output Word, in the Glossary.)

The Basic RNG/SCE/MAC Modes of Operation

The ZK-Crypt has one clock input, the Host's (see Glossary) systemclock. Typically, it has a second internal optional autonomousoscillator, operative to supply an uncorrelated random source, for RNGapplications, unconstrained by ETSI restrictions. Typically, embodimentsare activated in the Single Clock Mode, driven by the system clock,only. When the RNG operates in the Single Clock Mode, we say that thehardware is a pseudo-random number generator, where the random source isthe secret key (initialized condition); we use the deterministicallyinitialized RNG type outputs in the SCE as the mask for efficientencryption and decryption. (In the RNG dual clock mode, the randomsources are the unknown initial state, and the continued randomizationcaused by the unpredictable pulsing of an autonomous oscillator.)

In the MAC mode, the state of the machine must be a pseudo-random statewhich is grossly changed by every bit of each successive message word.In the ZK-Crypt the permuted message word is fed back into the FeedbackStore, so that previous words affect every eventual message word andevery variable in the following states of the machine. The MAC signatureis a series of output steps relating to the final state of the ZK-Cryptengine. Six 32 bit words (192 bits) would be a unique sequencerepresenting the status of the six virtually unique words in theZK-Crypt machine at the last stage of operation.

In all three feedback modes, the ZK-Crypt loads the Feedback Store withrelevant MUXed values. In SCE this feedback is not a function of amessage word, but typically is the feedback of the encryption mask.

In Single Step economy operation, when at each step only one of threetiers is activated, operation is most efficient and is the fastest andthe lowest power consuming, using less than 10% of the current of the 3tier, 15 Multi-Step operation. Economical operation is of utmostimportance in mobile phone and other portable device applications.

In Multi-Step Operation (Encryption, MAC or Random Number Generation),the ZK-Crypt first activates the random clocks a predetermined (thevalue minus one specified by Sample Delay Vector) number of systemclocks to activate nLFSRs prior to sampling an output (whilesimultaneously activating the Register Bank on the last clock cycle).

In the MAC mode, during the first phase MAC digest, the outputs are fedback into the nLFSR bank; during the second phase output sequence of theauthentication coding, the 32 bit signature output strings are downloaded to the host (see glossary).

The following glossary is for reference, as most entries are explainedelsewhere in the document. Many explanations are included to help thereader.

Glossary Autocorrelation In the binary sense, a measure of entropy ormutual relationships between two binary strings, wherein a binary n bit“base” string, is replicated typically to double length and the “base”string is “compared” to the longer replicated string, (XORed to thestring as it is offset bit-digit by bit-digit), and the number of like(hits) and number of unlike (misses) comparisons is counted at eachcomparison is recorded). In a perfect n-bit pseudo-random sequence, thenumber of hits and misses is balanced for all n-bit comparisons, exceptfor the single comparison (zero offset) when the string is compared to“itself”, when there would be n hits. Biased bits Seemingly randomstring generators potentially combine devices and functions whichgenerate specific bits in a string, or possibly all bits in a seeminglyrandom binary string with a predisposition to either one or zero. Thispatent describes methods to eliminate and/or reduce such predisposition.Binary A system in which there are only two possibilities. In binaryarithmetic, this is defined as arithmetic radix of two, in electroniclogic this is defined as binary symbol, 0 or 1. Binary Stream A bitstream of typically undefined ones and zeroes. Brownian The ZK-CryptnLFSRs random strings in a left to Motion, right, movement withaberrations occurring when the Pseudo feedback bit randomly is a one,thereby randomizing the left to right random motion, (because of thevalue emitting from the MS flip-flop or as a result of a slip pulse orthe NOR zero syndrome detector). Experience has shown that if theoutputs of the nLFSRs in each tier are XORed and filtered through theHash Matrix permutation, and at each step (clock) the result is Sampledand tested, the results did not pass the rigorous DieHard test,typically because the tester found a left to right moving correlation.To overcome the left to right detectable movement syndrome, an emulationof a right to left seemingly random pseudo-Brownian bit movementpermutation made by making small clusters move forward and backward,where the bits in the cluster move from right to left. Refer to the TopTier output mapping of FIG. 12. If (1 to 13 bit) random clusters aretaken of input X, where the bits in the cluster are reversed theirdirection, e.g., cluster (x₂₁, x₂₂, x₂₃, x₂₄) becomes “mirrored” cluster(x₂₄, x₂₃, x₂₂, x₂₁), and these mirrored clusters are disbursedrandomly, in Y, a pseudo single direction random Brownian type motion issimulated. In low cost software implementations and lowest powerhardware embodiments, the Brownian displacement function is typicallydisabled, and the Wait and Sample function is enacted wherein nLFSRs arestepped several stages between Samplings. See Rotate and XOR Tier OutputWord. Cipher Text Encrypted data. Clear Text An unencrypted binarymessage. Clock In typical digital systems, a synchronizing binaryoscillating signal or the device that generates said signal. Typically,in a device the source is an electronic oscillator that generatesperiodic signals for synchronization of processes. In typical randomnumber generation embodiments, randomness is typically initiated bysimultaneously activating a system clock and a second uncorrelatedclock, such that randomizing events typically occur at intractablydifficult to estimate intervals. In stream cipher embodiments, theretypically is only one clock which deterministically synchronizes thegenerating stream. In the preferred embodiments of this invention, theprimary clock is the single oscillating source. A typical clock cycleoccupies a time interval, called a period. Typically, during the firsthalf of the period the clock cycle signal is a stable binary onevoltage, and during the second half of the clock period, the voltage isstable at a binary zero voltage level. In the deterministic functions ofthis document, the pulses of the primary clock are derived from thesystem clock typically by rules defined by the host computer, and areirregular and are typically not generated in long bursts, regular orirregular. In the methods of this document, a step is equivalent to asingle clock signal. Clock Modes, Two classes of clock modes aredemonstrated. A dual Single/Dual clock mode, based on an autonomousoscillator useful Clock Mode for enabling unpredictability to a user whohas extensive knowledge of the initial condition of the system, whereinsuch user has no relevant constraints on temporal current consumption,or is not in danger of generating noise in the specific electroniccircuit. The autonomous oscillator is typically activated only when theprimary clock is active, in Host defined commands, which typicallyinclude single, burst, or free run primary clock activation. Theautonomous clock is only activated for random string generation,typically, for establishing initial random string conditions. Theautonomous oscillator is activated by the Dual Clock Mode bit. TheSingle Clock Mode is typically the default mode for RNG, SCE and MACapplications. When only the Single Clock Mode is allowed, the ZK-Cryptmechanism is typically first loaded for RNG and SCE operations with aseemingly random seed, unknown even to the user. Typically, ringoscillators are used as sources for the uncorrelated clocks. In softwareimplementations, there is typically no direct equivalent to anautonomous oscillator. For random number generation, the CPU memory mustbe programmed to generate a random seed of sufficient length to allaybrute force attacks. Real randomness of the RNG seed in the hardwareimplementation is obtained, typically, by non- deterministic activationscaused, typically by Host derived random intervals caused by users'depression of key switches on keypad. A similar strategy is useful inmany computer applications wherein at each key switch depression andlorkey switch release, the CPU samples a running counter the values ofwhich are concatenated into a random string. Colored Random An analogyfrom optics, where the recurrence of patterns or characteristics,typically from a physical random generator, is detectable, e.g., apattern . . . 0011100111, reappears more often than is normallyexpected. Collision (MAC) The unexpected occurrence wherein an altereddata file and the original MAC encoded data file have identicalsignatures. A collision may be accidentally or fraudulently contrived,e.g., a criminal changes the amount of money in a transaction file.Serious collisions have allegedly been found in SHA-1, the NIST SecuredHash Algorithm. In the preferred Message Authentication Codingembodiments, the number of 32 bit digested words is included in theheader word, x_(hdr) of the digest, and in the last tail word x_(t),wherein x_(t) is generated by the Mask and Page Synch Counter, regulatedby a fixed or frozen protocol, to automatically read the Mask and PageSynch, diffusing said count value into the native and obscure variables,thereby limiting the number of the number of collision combinations thatan adversary is capable of generating. Complement In the binary sense,one complements zero, and zero complements one. Confusion Shannon'soriginal definition of permutation rules, e.g., encipheringtransformations that complicate the determination of how the statisticsof ciphertext depend on the statistics of plaintext. Correlation Ameasure of mutual relationship between two signals, e.g., when one clockis a derivative (e.g., divided by 4) of a second clock, the correlationof one clock to the other is the ratio of the frequencies, 4 to 1. Instream cipher parlance, a nonlinear function F is m-ordercorrelation-immune if the mutual information between the output variableand any subset of m input variables is zero (statistically independent).This is difficult to prove in any particular memoryless function of theZK-Crypt, even as these functions are driven by non-linear triggerfunctions, and as each tier working separately, without the non-linearcombiner with maximum correlation immunizers, passed the DieHard andNIST tests. Two preferred embodiments of pseudo half and full adderaddition (single and double carry saved inputs into each cell of thecombiner) ensure maximum non- linearity and correlation immunity.Correlation We say that an output is correlation immune, or Immunitymaximum correlation immune, if no information is leaked from the input(either the stage of an nLFSR or a message word) to the output, eitherthe mask output or to the XORed message to mask output. Rueppel showsthat one bit of memory with any non- linear function exhibits bothmaximum correlation- immunity and maximum non-linear order, if the inputhas a sensibly chosen uniform distribution. The XOR of the three tiersof nLFSRs, as shown are statistically well balanced, and the mapping ofa tier input into a pseudo-Brownian output and subsequent unbiasedpermutations, ensures unbiased input bits into the non-linearcorrelation immunizers. Note that in applications wherein at least oneof two communicants execute the ZK-Crypt methods in software, thepseudo-Brownian reverse orientation is typically replaced by simple leftor right hand rotations, with the commensurate loss of complexity. (SeeRotate and XOR Tier Output Word.) CPU, Central A host device, whichtypically controls the random Processing Unit generating device ormethod of preferred embodiments, i.e., defines clock modes, activatesgenerator clocks, commands, and concatenates samplings of the generatedseemingly random strings into a larger seemingly random output string.Cryptographic A term that typically denotes operations including,Operations but not limited to: encryption, decryption, secure hash formessage authentication code; and for generating random number sequences.Cycle, Cyclic Recurrences of same patterns. A clock cycle is typicallyan interval characterized during the first half of the interval by a oneand during the second half of the interval by a zero. Non-extended LFSRsof length n, when activated for (2^(n) − 1)x clock cycles, seriallyoutput a string of at least x same binary sequences repeatedly, each ofwhich is (2^(n) − 1) binary bits long. Data Churn That part of theZK-Crypt which processes the XORed output of the three tiers of theRegister Bank, see FIG. 2. The churning operations consist of the HashMatrix permutations, the ODDN random complements, the Intermediate andthe Feedback Combining, and the XOR combing, operative to XOR the outputof the Intermediate Combiner with the Message word. Diffusion Thequality of spreading the influence of a single plaintext digit over manyciphertext digits so as to frustrate a piecemeal attack. Extensivediffusion is especially important when using the MAC function, as thesource of diffusion is the message words; i.e., an adverse change of adecimal point or a phrase is typically costly, if a MAC signature isidentical for both cases. Displacement In the context of “slips” in anLFSR sequence of words, the jump of the normal place in the wordsequence caused by the complementing of the least significant (LS) bitof the next word to appear in the sequence. For example, in a 5 bitsequence, a one XORed to a zero feed back would displace the word with 0“left hand” bit with a one bit. The Hash Permutation, the Brownianpermutations, and a simple Rotation of the pairs of nLFSRs affectdisplacements of input bits. An alternative to the pseudo BrownianMotion displacement correlation deterrent function, wherein the Browniandisplacement routine of each tier is replaced typically by a single,double or triple left hand rotate of the output of the Top, Middle andBottom Tier, respectively; e.g., the Top Tier is “multiplied by two”,(left shifted one bit), and the 00, (MS) bit is “carried into” the LS,(31^(st)) bit's location. In such software “friendly” operations, theHash transformation is redundant. The advantage of this scheme is therelative ease to execute the transformation in a hardware compliantsoftware application. Entropy In the random binary string context, acomparative measure of confusion or divergence typically from apredictable sequence, or a part thereof. Simply stated, entropysignifies a degree of “unpredictability”. The accepted mathematicaldefinition grants the same measure of entropy to a random and to asimilarly generated pseudorandom sequence. “The probability of finding aparticular symbol, times the natural log of that probability, summedover all symbols, and negated. A” is measure of the “uniqueness” of asequence, measured in bits. Entropy is not the only of measure ofrandomness. Even Number A binary string in a Word consisting of an evenString number of binary bits, wherein the number of one ENS bits is aneven number of bits, and, conversely, the number of zero bits is an evennumber; e.g., a 32 bit Word with 14 one bits and 18 zero bits in anypermutation would classify as an Even Number String. Obviously, one halfof the possible 2³² bit combinations would be classified as Even NumberStrings. If any 32 bit word, X, is permuted into a second 32 bit word,Y, and the result R is X XOR Y, R is always an Even Number String. SeeOdd Number String, ONS. Each of the Brownian permuted tiers (or even asimple rotational permutation) outputs ENSs only. The transformation ofthe outputs of each tier is a many to one mapping, conversely the outputelements are a subset of all of the typically unbiased outputs of thenLFSR pairs. Exclusive OR, The function symbolized either by anencircled cross XOR ⊕, or as a logic gate (and often, when the ORfunction Function is not used, simply, a plus sign). Typically, thereare two binary inputs to an XOR function. If both inputs are alike, e.g.both are either ones or both are zeroes, a condition defined as a hit,the output is a zero. If both inputs are unlike, e.g. either one andzero, or zero and one, the output is a one, often defined as a miss. Inthe figures, numeration defines either the gate or the output of thegate. The abbreviated name XOR and the accepted full name of the XORlogic gate, may be used as transitive verbal participles e.g., exclusiveORing or XORing a one and a zero to output logic one. Exhaustive Theparticular architecture is of a type that is Search heretoforeconsidered intractable to cryptoanalyze, so Brute Force that “exhaustivesearches” or “brute force” methods are considered to be the only schemesavailable for prediction. (Remember, there are no proofs that adeterministic cryptographic system cannot be hacked.) Industry standardstrengths of intractability describe a Big O work factor, which saysthat a constant Big O times an average minimum number of mathematicalprocedural searches A work factor of 2⁸⁰ was considered sufficient in1996, in 2005 a work factor of 2¹⁰⁰ is considered sufficient, and Diffieestimates that a work factor of 2¹²⁸ is sufficient until the advent offlexible quantum computing. Flip-Flop (FF) - An electronic device,capable of maintaining two Types D, T & stable output states, one orzero on outputs Q and Q SR NOT. Synchronous (clock activated) flip-flopsused in the preferred embodiments, are Data (D type) and Toggle (Ttype). In the D flip-flop, the input at the D connection appearingimmediately before an activating clock cycle is Sampled and transferredto the output, Q. In the T type flip-flop, the output is a polaritychange from the previous output. When the T input is a one, and a clocksignal activates the flip- flop, the previous polarities of Q and Q NOTare reversed. Clock activation is typically activated by a rise in thevoltage of the clock signal, denoted in the figures by a directconnection of the input to the clock connection; or by the fall involtage of the input clock signal, typically denoted by a small circleadjacent the connection of the flip-flop. SR flip-flops are asynchronousdevices, as they, typically, are activated at random instants, andunsynchronized to a system primary clocking device. An activationvoltage on the S input causes a stable one (a set) on the output, Q.Activation of the R input (often marked CLR or Clear), causes a stablezero (a reset) on the output, Q. Flip-flops have an optional secondoutput Q Not, symbolized by a Q under a horizontal dash. A D typeflip-flop, with the inverted Q NOT output connected to its D input,toggles the output, at each activating clock signal. D, T and SRflip-flops are used in Stream Ciphers and Random Number Generators.Replication of such devices is immediate in software implementations.Hash Matrix In this ZK-Crypt, the Hash Matrix is a rule set of 4permutations of an input signal. In the preferred embodiment the rule isselected by a “juggle toggled” Johnson Counter. The D vector is nullvector permutation wherein bits are not displaced. Provision is made,for testing and for enabling efficient software implementations, tolock-in the D vector, as software simulations of the Hash scrambleentail inefficient bit orientated operations. Host The device thatcontrols, reads, synchronizes, Samples, and monitors the output of thestream cipher and random number generator, typically a CPU or a finitestate machine with pipelined inputs and outputs for fastest operations.Initial Condition The Initial Condition (I.C.) of the ZK-Crypt. ThisI.C. condition is the “key” from which the running key in SCE continues,is a typical random starting condition for RNG generation, and is apublicly known condition for unkeyed MAC. Keyed MAC assumes that theinitial condition is confidential. Intractable In the context of thepreferred embodiments, the assumption that accurate estimation orprediction is typically unfeasible using known methods. With 128 bits ofnative keys, or over 500 state bits, we assume that the compromising theZK-Crypt is intractable. Inverter logic A logic gate that outputs asignal that is gate complementary to the input symbol, e.g., a logic oneis changed to a zero, and a logic zero is changed to a one. An invertergate is symbolized by a triangle with the inputs on its base, and acircle on the apex, which denotes the output. Johnson Typically, an nbit counter, with n flip-flops, wherein Counter, a lone one progresseswith a wrap around “right to Juggle Toggled left” shift. The juggletoggled Johnson counter of the Johnson Counter ZK-Crypt progresses bothright to left, and left to right, toggled by an internal signal from the(P)Random clock generator. The initial setting of the Johnson counter inSCE and MAC modes of operation is part (2 bits) of the Cipher ControlWord. At power-up, typically flip-flops naturally assume a seeminglyrandom state. In those cases where a deterministic secret I.C. is notloaded or preferred, the Johnson counter is typically powered up to astate with more than a lone “1”, or possibly in the all zero state.Internal logic forces the counter into the 0001 or 1000 state,respectively. Key, Native, The native keys in the preferred streamcipher Obscure embodiments are the initially loaded conditions of theRunning Key controls and the three tiers (typically loaded by the Host).Obscure keys are contributing memory devices (another almost 70flip-flops) which are not directly programmable by the host. The stagesof the permutation of the embodiments are stages of the running key.Latch Typically, a word length string of parallel D type flip- flops,operative to snare and store binary data from a data bus when activatedby a signal on the flop-flops' latch-in gates. Latches are implementedin the output ports of the preferred embodiments in this invention.Least In normal binary representations, the Least Significant, LSSignificant, LS, bit (lowest power bit) is on the right and also Mosthand side, and the Most Significant, MS, bit (highest Significant, MSpower bit) is on the left hand side of the binary word. This orientationis typically not common to counters and shift registers based onflip-flops. Typical circuit diagrams, including binary counters andshift register representations in the literature depict signal inputswith movement oriented from left to right, with the output on the right.In typical descriptions in the literature, and in this document, cellsof registers and counters are numerated from left to right, where the LScell is on the left, and the MS cell on the right. In the tier, counterand shift register representations in this document, the LS bit, denotedthe zero bit, is on the left, and the MS bit of an n bit device, denotedthe n − 1'th bit of the device is on the right. LFSR See also LinearFeedback Shift Register and Maximum Length Linear Feedback ShiftRegister. The LFSR configurations in the preferred embodiments aremaximum length configurations. An LFSR is an autonomous logic device,typically having only one binary input, the “clock” or method stepper.Linear Feedback A clocked shift register device typically assembledShift Register - from D type flip-flops with feedbacks taps drawn LFSRfrom defined pairs of flip-flops in the register, or in a second class,with XORs placed between flip-flops of the registers. There are twogeneral classes of LFSRs, One to Many, and Many to One. In a Many to Onesequence, outputs from a plurality of taps from a shift register areXORed to the output of the feedback flip-flop which is returned to theinput of the first “left hand” flip-flop. In a One to Manyconfigurations, the output of the last flip-flop of the register is fedinto specific XOR gates placed between register flip-flops and also fedinto the first flip-flop. In the Many to One LFSR configuration, pairsof taps are XORed together, and the pairs, if there is more than one,are again paired, until a single serial feedback signal is input to the“left hand” D-Flip-flop of a right shift register. The LFSR is classedas a linear device, as for each configuration of the LFSR, a given wordon the outputs of each of the registers, leads to another defined outputof the register, such that the n bit word sequences are cyclicallyrepeated, when the clock is continuously clocked. An all zero word istypically unacceptable sequence in an LFSR configuration, as 0 XOR 0 isequal to zero, and the LFSR is stuck in a sequence syndrome of zero inand zero out. During operation, the only input to an LFSR is the clockor stepper. Knowledge of the fixed configuration of an n bit LFSR, and aone n bit word, typically is sufficient to know another n bit word.Knowledge of a sequence of two consecutive n bit words enables anobserver to know both the configuration and the index number of theSampled words. Different feedback configurations from same lengthmaximum length registers produce all of the same elements of thesequence, but in a different sequential order. In the preferredembodiments, the nLFSRs feeding the Hash Matrix are of the One to Manyclass. The LFSRs in the Control Units are Many to One feedback shiftregisters. The One to Many configuration is often referred to in theliterature as the Multiple Return Linear Feedback Shift Register.Adjacent stages of One to Many LFSRs appear to have more entropy thanadjacent stages of Many to One LFSRs, to an observer who has noknowledge of the generating LFSR devices. MAC, Message A one wayfunction process for converting a large Authentication concatenation ofbinary words into a shorter Code concatenation of words, a seeminglyunique signature on the contents, such that the chance of collision,caused by an adversary or fault, is practically non- existent. The NISTSHA-1, SHS (Secured Hash Standard) generates a 160 bit signature. MACmethods do not inherently guarantee that the signature is a genuinesignature. Typically MAC signatures are certified using public keyencryption methods. Many to One The conventional configuration ofmaximum length nLFSR feedback registers, wherein pairs of tappedjunctions LFSR between flip-flops are XORed together to produce thefeedback signal. See One to Many nLFSRs. Maximum “Maximum length LFSRs”denotes the class of Length feedback configurations, where all possibleoutput Linear Feedback words, with the exception of the all zero word,are Shift Register elements of the word sequence of the LFSR. Such LFSRshave desired qualities of randomness, to the observer who has noknowledge of the LFSR logic configuration; hence they are also referredto as pseudo-random or pseudo-noise number generators. Mask Theseemingly random, deterministic, intractably unpredictable output of theintermediate non-linear correlation-immunizing combiner is the maskwhich encrypts the message word into cipher text when XORed to the plaintext message word and decrypts the cipher text when XORed to the ciphertext. The Mask is generated by the running key, but is not part of therunning key when the device is operated without feedback. In allfeedback modes, the Mask is recycled into the Register Bank, and isdiffused into subsequent masks. Message In stream ciphering, the samegenerated from the secret running key Mask in the first instant ofencryption, is XORed to the input plaintext message, thereby encryptingthe message word into ciphertext. The decryptor does the identicaloperation, with its same generated secret running key mask, and therebydecrypts the message word. This is considered a symmetric key operation,as both the encryptor and the decryptor generated an identical mask.Most Significant, See Least Significant MS Multiplexer An electronicdevice with a plurality of binary inputs, each with a defined “address”and a binary “address” input. An addressed binary input is switched tothe multiplexed output. Multiple Return See One to Many nLFSRs nLFSRsNonlinear Classes of electronic devices wherein the XORed Feedbackfeedbacks from the shift register do not completely Shift Register-determine the sequence of output words. The non- nLFSR linear methodsused in the preferred embodiments, include a NOR gate to insert a oneinto the next output word, when all sensed inputs are zero; a “slip”pulse which seemingly at random steps complements a feedback binarysymbol, and the many to one pseudo-Brownian permutations. The slip pulsenon- linearizes the tiers, as the “slip” is a function of two input ANDlogic, which causes local complexity in the nLFSR stages, andnon-linearity in the stage sequence of the tiers. Non-linear The ANDfunction is the simplest non-linear Function, the function. Note thatthe change of a single input into Non-linear the AND logic gate may ormay not change the gate combining output. correlation immunizingExamination of the circuitry shows other examples of functionnon-linearity, e.g., when the uncorrelated output of relevant bits ofclocks and controls are ORed together, one of the two signals istypically redundant. The Intermediate and Feedback combiners, both withstage memory, and carries achieve maximum non- linearity and alsomaximum correlation immunity. NOR logic gate A mnemonic for NOT OR. NORgates have a plurality of inputs, such that an output of one typicallyonly does not occur if all NOR inputs are at zero. For all othercombinations, the output of a NOR gate is zero. The mnemonic NOR may beused as a verbal participle, e.g., NORing inputs A and B to output aone. The NOR gate extension in the LFSRs and NLFSRs in this invention,are operative to induce a zero feedback to form an all zero stage in theshift register, when only the Most Significant bit of the stage of shiftregister is a one. This addition is also called the de Bruijn sequence,the extended length LFSR, or the proactive solution to the “Stuck onZero” syndrome, as the NOR gate inserts a one into the feedback when allflip-flops are in a zero binary state. Number, Binary Any n bit stringof binary bits may represent a binary number from zero to (2^(n) − 1).NXOR, Not XOR See XOR. Odd Number In an even number of bits string,e.g., a 32 bit word, String, ONS wherein there is an odd number of onebits, and conversely an odd number of zero bits. Typically, in thepreferred embodiments, an ONS is generated when an ENS output from theHash Permutation Matrix is complemented by one, two, three or four ofthe ODDN vectors of XOR gates. ODDN, A cluster of four vectors of XORgates, each Odd Number consisting of an odd number of XOR gates,selected Complementors randomly by the Tier Select control unit and theRandom Clock, operative to randomly complement the outputs of the HashMatrix. In the preferred embodiments, there is one vector with 13 gates,2 with 9 gates, and one with a single gate. All combinations are equallyprobable. One to Many Conventional linear and non-linear feedback shiftnLFSR registers in the literature are configured as many to one feedbackshift registers, where pairs of taps are drawn from junctions betweenflip-flops, and the modulo 2 sum of the outputs serves as the principalfeedback into the “left hand” flip-flop. The main drawback to the One toMany configuration is that each stage of the output of the nLFSR or LFSRis a shifted copy (exceptional correlation) of the previous stage, withthe exception of the feedback bit into the left hand flip-flop. In theone to many configuration, the XOR gates are inserted between the shiftregister flip-flops and the feedback bit complements the shifted bits.As in the configurations of the present embodiments, XOR gates areplaced at short intervals between flip-flops, a feedback bit of onecauses more seemingly random local complexity than the normal many toone shift. Changing an original Many to One design which was compliantto the NIST test suite when Sampled once every seven primary clocks tothe One to Many configuration, produced similar tested results whenSampled once every three primary clocks. In all instances, FSRconfigurations were chosen with a plurality of feedback taps. See FIG.11. Both configurations are equivalent, if only the single right-handoutput bit is Sampled. Altering the feedback with the slip pulse and theNOR gate sensing N − 1 zeroes in the sequence, changes a conventionalone to many LFSR into the non-linear feedback configurations of theRegister Bank. OR Gate, The logic gate operative to output a one if anyone of ORing, ORed the plurality of inputs is a one, wherein, only anall zero input produces a zero output. The function name of the logicgate may be used as a transitive verbal participle, e.g., ORing a zeroand a zero to output logic one. Oscillation In the binary context, thevariation between one and zero with respect to time, typically with aquasi- stationary period between changes of polarity. Typically theprimary clock is a derivative of the system clock used by the CPU.Typically, an uncorrelated clock is generated by an odd number ring ofinverters, defined as a ring oscillator, operative to oscillate at aslowly varying frequency, uncorrelated to the primary clock frequency.The period of a ring oscillator clock cycle is a function of thepropagation delays of the inverters. The propagation delays arefunctions of device temperature and supply voltage. NXOR, Not XOR SeeXOR. Page, In normal transmission of data over noisy channels, PageEquality typically sender and receiver are synchronized at relevantintervals. The intervals whence both sender and receiver, typically,will interrupt the flow of data, will typically be a predefined numberof words, which we call a page, and which in some instances may be aframe of data transmitted on the Internet. Typically, at the beginningof a page the sender transmits, and the receiver checks the number inthe Synch Counter. In a software transmission, or in an internettransmission where pages typically are not properly decrypted in realtime, and or when pages are sent on arbitrary paths, and pages may notbe received in the proper sequence, the receiver stores a transmissionin memory, in a proper order; to be decrypted at a later instant intime. The Synch Comparator triggers the interrupt when the “PageEquality” designated number of Least Significant bits in the TargetRegister equals the same Least Significant bits of the Synch Counter.The page size typically are between 4 bits long (16 masks→ 16 × 32 = 512bits of encrypted data in a page) to 10 bit long (1024 masks → 32 K bitsof encrypted data in a page). The Synch Counter is typically connectedto a Port in the Host, such that at each page end a transmitter precedesthe next page of encrypted data with the total or a portion of the totalWord count number in the Synch Counter. Permutation In the preferredembodiments there are two types of Units displacement permutations andone type of complementary permutations on the outputs of the nLFSRs. The32 bit outputs of the nLFSR pairs are permuted either by rotation of thenLFSR output or by a pseudo-Brownian permutation. The Hash Matrixpermutation is typically, a random choice one of three differentdisplacement combinations or of a “straight through” unaltered passageof the input directly to the output. The four complementary ODDN vectorsof XOR gates randomly perform polarity complementation of one of sixteencombinations of from no bit complements to up to a complementation ofall 32 bit outputs of the Hash Matrix. Polarity In a binary device, twopoles are valid, zero and one. Changing polarity, means changing a oneto zero or a zero to one. Changing polarity of a device is tantamount totoggling a device. Primary Clock The Primary Clock is the only drivingstep controller (P)Random in any Single Clock, deterministic mode ofoperation. Clock In the Dual Clock Mode, all internal signals, anddevices with the exception of the autonomous frequency driven signals inthe 5 of 6 (P)Random Clock are stepped either by the Primary Clock, orby a derivative of the Primary Clock. In Dual Clock Mode, the autonomousoscillator drives the nLFSRs in the (P)Random Clock. The output of the 5of 6 (P)Random Clock module is synchronized to the Primary Clock. The(P)Random Clock drives the control units which randomly trigger slippulses, select Hash permutations, select ODDN permutations, and selectwhich tiers are activated at a given step. Pseudo-Random A condition ofa binary string resembling randomness to an observer unacquainted withthe temporal condition of the generating device, but predictable to anobserver who is acquainted with the device, and knows the temporal inputand temporal condition of the device. Literally, pseudo randomnessdescribes a collection or array of symbols, which appears to be random,but in fact is not and is predictable by an observer with knowledge ofthe configuration of the method or device, and the value of thevariables at a given step. To allow for inherent ambiguity betweenpseudo- random and random, this document typically refers to both statesas seemingly random, or often as random. Pulse A short aberration of aquasi-stationary signal, hence, typically, a short interval of one, on asignal that is typically zero. Typically, in these devices, pulses usedfor activation are synchronized to the primary clock. Random, Typically,a varying state of high entropy and/or a Pseudo- state of difficult toanticipate or predict output Random & values. In practice, apseudo-random generating Seemingly- device is herein considered a randomgenerating Random device if the logic values on the plurality of inputsto the device are intractably difficult to predict. To allow forpossible ambiguity, in this document, reference is typically made to“seemingly random” bits, words, and sequences or often simply random, ina deterministic function wherein the plurality of internal variables arenot known to an observer who senses a “seemingly random” function. Oftena signal is truly random in one mode, e.g., RNG; pseudo-random inanother, e.g., SCE; and known to the user and/or an adversary who haveknowledge of the system and the input, e.g., MAC mode. The readertypically understands the degrees of ambiguity from the context. RandomNumber A Random Number Generator, RNG, is typically a Generator, RNGdevice that generates strings of unpredictable binary bits, which whenconcatenated into longer strings remain unpredictable, even in thoseinstances where an oracle knows the precise logic implementation(hardware or software). There are many standard tests to judge if a longstring is seemingly random, some of which are very demanding; e.g.,Marsaglia's Die Hard suite of tests. There is a plurality of analyticaltests, wherein the cryptoanalyst knows the internal workings of device,and has a partial result string wherein the analyst is able to defineand predict all, or some portions of the next values of the string.Unintegrated segments of the ZK-Crypt have passed DieHard and NIST testswhen Sampled at each actuation of a clock. See Exhaustive SearchRegister Bank, The Register Bank is the complex of moving feedback(Non-Linear shift registers and logic devices of FIG. 2, operative toFeedback Shift generate a non-linear input to the Hash Matrix andRegister) nLFSR to generate seemingly random rules to regulate theRegister Bank Hash Matrix and the Odd Number Permutations. The RegisterBank consists of three tiers of control units and three tiers ofnon-linear combinations of feedback shift registers and permutationlogic. Register Tier Typically a 32 cell combination of two juxtaposednLFSRs operative to output a first 32 bit word which is mapped into asecond fixed displacement permutation word, wherein the first and secondwords are XOR combined at random instants and in the complementaryinstants only the first word is output from the tier. Rotate and XOR Analternative to the pseudo Brownian Motion Tier Output displacementcorrelation deterrent function, wherein Word the Brownian displacementroutine of each tier is replaced typically by a single, double or tripleleft hand rotate of the output of the Top, Middle and Bottom Tier,respectively; e.g., the Top Tier is “multiplied by two”, (left shiftedone bit), and the 00, (MS) bit is “carried into” the LS, (31^(st)) bit'slocation. The advantage of this scheme is the relative ease to executethe transformation in a hardware compliant software application. SeeBrownian Motion. Sample A Sample command received directly from a Host,or (Function) derived from a Host command, e.g., Multi-Step SynchInternally and to Target, in the preferred embodiments activates an HostInitiated instantaneous processing of the binary contents of theRegister Bank and the Data Churn. A sampling procedure occurring at arandom instant, uncorrelated to the temporary condition of apseudorandom device is a random Sample. In the preferred embodiments, aSample command is operative to XOR the three potentially reduced entropytiers of nLFSRs, to perform a permutation via the Hash Matrix, to have aseemingly random complement of the Hash output bits, to both store theoutput of the Hash Matrix in the Intermediate Buffer and to XOR theoutput of the Hash Matrix, with the previous output of the Hash Matrix,which was stored in the Intermediate Buffer, and XOR this word with the32 bit Message Word/Random Mask (especially for Stream Cipher encryptionand decryption and for MAC validation) and to optionally store eitherthe Mask or the encrypted word in the Feedback Store to modify thecontents of the Register Bank in the next step. Seemingly Whether astring of binary bits or words is purely Random random, colored random,or pseudo random is often philosophical, often ambiguous, and isgenerally dependent on the observers knowledge of the generatingfunction and the state of the variables. Using the expression,“seemingly random” evades the basic problem, as a given word variablemay be pseudo random to a random oracle privileged to know internalsecrets, but conversely unpredictably random to a non-privilegedobserver, entitled, at most to see a sequence of generated seeminglyunpredictable words. Shift Register In a simple shift register or a Manyto One shift register, the binary symbol in each flip-flop istransferred to the adjacent flip-flop as is, with the exception of theMost Significant (MS) value which is fed out. In softwareimplementations this is the typically Right Shift command. In the Manyto One shift register, at least two outputs are XORed and “fed back”into the Least Significant Flip-flop, typically in a seemingly randomsequence. Typically, in hardware implementations a number ofconcatenated D type flip-flops are connected, typically, with relevantlogic between the cells. In the preferred embodiments, both the paralleloutputs and the serial outputs are integrated into the final result. Ateach step of the One to Many LFSR the feedback bit from the MS flip-flopis “multiply returned” to XOR logic gates between adjacent flip-flops,such that a feedback of binary value one will complement the “movingvalue” between flip-flops, as opposed to Many to One LFSRs wherein such“moving values” are unchanged. The One to Many configurations add tolocal “confusion”. The output may be read as a word, in parallel, or asa serial output, typically from the right hand flip-flop. The sequencesof the serial outputs of both LFSR configurations are identical.Significant, See Least Significant Most Significant, MS, Least (LS)Significant Slip Sequence A function that causes a pseudo-random jumpFunction displacement in a conventional LFSR. The slip is from a word inthe conventional LFSR sequence to another seemingly random word in theconventional LFSR sequence. XORing a feedback signal with a random pulseof polarity one implements the slip process. This is a randomdisplacement of an n bit output word from one location in the sequenceof 2^(n) words to another unique word in the 2^(n) word sequence.Software A preferred mode embodiment of operation of Embodimentequivalent cryptographic strength is enacted wherein the randomlydisplaced bit permutations are not activated, e.g., the Pseudo BrownianAuto-XOR and Hash permutations are disabled in a communicating ZK-Cryptdevice and are replaced by an equivalent entropy operation, wherein theWait and Sample function is exercised more than one clock cycle betweenSamples, thereby generating an accelerated software method, typicallyusing byte and word oriented software commands, available on RISC andCISC CPUs, as opposed to bit oriented operations necessary to scramblethe Hash Matrix vectors and the Brownian vectors in the normal singlestep encryption and decryption. For such hybrid software/ hardwarecommunications both the hardware device and the software simulatingdevice operate in the Wait and Sample venue. Wait and Sample is lessefficient than single step encryption/decryption. (See Rotate and XORTier Output Word for a software “friendly” alternative to the PseudoBrownian Motion displacement function.) Spectrum A term adopted fromoptics, where a color in the binary spectrum may typically be a smallpattern that is either overly repeated in a long sequence, orinordinately omitted from said sequence. Stream Cipher Stream ciphersare symmetric encryption devices. As Encoder, SCE defined by Rueppel inAnalysis and Design of Stream Ciphers; “stream ciphers divide the plainunencrypted text into characters and encipher each character with atime-varying function whose time- dependency is governed by the internalstate of the stream cipher. After each character that is enciphered, thedevice changes state according to some rule. Therefore, two occurrencesof the same plaintext-character will usually not result in the sameciphertext character.” In conventional stream ciphers, characters arebinary bits, and the time dependency is a function based on a pluralityof Many to One type LFSRs, where a combined output of the plurality ofLFSRs is XORed bit by bit to a message stream, which is first encryptedby the encryption stream, and subsequently decrypted by XORing eachbinary bit in another device using the same secret initializing key. Inthe stream cipher of this invention, the feedback shift registers arenon-linear feedback shift registers based on One to Many LFSRs, and thecharacters are typically 32 bit words. String, Binary A varied lengthconcatenation of ones and zero bits. and Random Stuck on Zero Themalfunction that occurs in conventional LFSRs, wherein the output of allflip-flops in the shift register are at zero output polarity. With theshift register in such a state, the feedback is “stuck” at zero. Theconfigurations of the nLFSRs in the preferred embodiments prevent theStuck on Zero syndrome. Synch Counter In the present invention, thecounter that records the number of Sampled words from the firstinitialized Sample (after the preset variables have been initializedwith the secret key, and the other variables have been reset to zero).In preferred embodiments of this invention, the device is operative toinitialize itself to a targeted word, by re-initializing the device withthe secret key, and activating the device to pseudo-Sample until thedevice is conditioned to continue sampling from the targeted word. Tier,see Register The Register Bank's seemingly random output source Tier arethe three tiers (Top, Mid and Bot) of concatenated pairs of nLFSRsmapped in a many to one configuration. Attached to each tier's paralleloutput of concatenated nLFSRs, is a pseudo Brownian reverse directionpermuting logic vector, where optionally, the permutation and theconcatenation are XORed together to form a seemingly random ENS. SeeFIGS. 2, 7, and 12. (See Rotate and XOR Tier Output Word for a software“friendly” alternative to the Pseudo Brownian Motion displacementfunction.) Tier Combiner, In the preferred embodiment, the word outputsof the 3 Tier three tiers are XORed together into a combined Combineroutput. Toggle A complementary change of a binary signal, i.e., a changeof a one to a zero or a change of a zero to one. Uncorrelated Typicallya condition wherein the least common clock denominator of two clockfrequencies is the integer, frequencies one. Variables, Native Thenative variables consist of those values that are Obscure & directlyloaded by the host into the 128 flip-flops in Public the Register Bankand the Cipher Control word. When operated in a Feedback Mode, the 64flip-flops in the Intermediate Store and the Feedback Store can assumesecret, non-observable values. In addition, 3 flip-flops in the(P)Random Clock generator, 1 flip-flop each in the Top, Mid and BotControl units, bring the total to 198 secret key binary variables.Public Variables include the 32 bit Synch Target Variable, the SynchCounter value, and the Sample Delay Vector. See keys. Word A definedlength of a binary string. Typically, the length of a word is longerthan one byte. In a preferred embodiment the word length is 32 bits.Work Factor The number of computational trials using a given method,necessary, on the average to compromise a cryptographic process. A workfactor of at least 2¹⁰⁰ trials is generally considered sufficient.Compromising Single DES on random data, using brute force guessing, hasan average work factor of 2⁵⁵. XOR Abbreviation for Exclusive OR.Typically, in hardware devices a 2 input logic gate used in modulo 2arithmetic. For the two input XOR gate, an input of same polarity inputsis operative to output a zero; and for either combination [(0, 1) and(1, 0)] of one and zero, the XOR function outputs a one. For a singlebit output XOR function with a plurality of inputs, the output is a one,if the number of “one” inputs is odd; else the output is zero. XOR gatesare depicted typically as encircled crosses, or as conventional twoscomplement gates. In GF(2)logic equations, XOR is conventionallysymbolized with the plus sign, +. The capitalized abbreviation XOR isused as a transitive verbal participle, e.g., A is XORed to B; and as aprimitive logic function, e.g., 1 XOR 0 = 1. In hardwareimplementations, as in software methods, XORing a word defines bit wiseXORing of all same position bits in two XORed words operative togenerate an output word. NXOR is the abbreviation of NOT XOR, and is thecomplement of XOR. Conventional implementations of XOR and NXOR use thesame number of transistors. Zero-Knowledge, In the preferred embodimentsof this invention, a Z-K condition wherein knowledge of the outputsequence of the device typically grants no knowledge of the binarystatus of any of the internal variables in the device. It is to be notedthat the three principal ZK-Crypt functions, RNG, SCE and MAC aresimilar, and many instances two of the three are configured. The RNG maybe configured identically to the SCE encryption mode, wherein anuncorrelated message word in the RNG mode typically adds complexity tothe result. Both RNG and SCE may be configured in a Feedback Mode,wherein the Mask Word (RNG Output) may typically be fed back into theRegister Bank. Similarly, the RNG and the MAC digest can be configuredidentically, where the Message word is included in the Feedback.ZK-Crypt The abbreviated name of both the Hardware and Softwareimplementations of the herein described method and device, operative togenerate Random Number Words and Sequences, to encrypt and decryptstreams of binary words, and to validate the unaltered status of astream or file of binary data.LFSR Basic Configurations

There are two basic configurations of linear feedback shift registers(LFSRs), the Many to One configuration, where pairs of flip-flop outputsare XORed to generate a single bit of feedback to the input in the firstflip-flop of the register, and the One to Many configuration, whereinthe binary output simultaneously XORs the same pairs of flip-flops. Theserial outputs of the two types of shift registers are identical“pseudo-random” sequences. The sequence of n-bit words at each clockshift of the Many to One type “looks” to the chance observer to be anextremely regular (low entropy) listing of ones and zeroes, where n−1bits of the last word are simply shifted “en masse” to an adjacentposition, whereas in the One to Many sequence, the listing of words istypically jumbled. In the One to Many configuration, (also called themultiple return configuration) whenever the feedback bit is a binary “1”many of the shifted bits in the next word are complemented. (In thepreferred register bank embodiments, there are a minimum of sixcomplemented bits in every multiple return nLFSR.)

Clock Modes and Initial Conditions

In single clock mode, the primary clock is typically the oscillatingsource of the randomizing clock. When operating as a random numbergenerator in single clock mode, unpredictable inputs generated duringthe initialization and “re-initialization” procedures cause the unit to“take on” an unpredictable condition capable of producing a binarystream which is typically unpredictable. In a unit which does not employa second uncorrelated oscillator, an unpredictable initial condition cantypically be achieved by activating individual tiers of nLFSRs for theunpredictable intervals when key switches in keypads are closed;typically in mobile phones and remote television controllers. Indevices, e.g., wireless communication devices, wherein an uncorrelatedoscillator interferes with normal communications, an unpredictableinitial condition necessary for obtaining random word sequences can beobtained by operating the generator in dual clock mode prior toinaugurating sampling random words. In dual clock mode, an autonomous,typically ring, oscillator actuates the randomizing clock for areasonable interval, and subsequently causes an unpredictable initialcondition, a prerequisite for random number generators.

In the single clock deterministic mode, an adversary who knows an exactequivalent of the ZK-Crypt device, could conduct an exhaustive search ofall initial conditions, enabling such an adversary to be able to“impersonate” a valid owner of the a single secret key. Industrystandards identify a work factor to mean the average number of trialsnecessary for an adversary to execute in order to break a particularcode. As proper use of stream ciphers entails establishing a newseemingly random secret key for each session, the exhaustive search isnot the most cost effective or quickest way to compromise such a cipher.In the described preferred embodiment, there are 128 directlyprogrammable initial condition flip-flops, the native key, and another70 extension programmable flip-flops, the obscure initial condition key.Typically, the adversary must know the initialization value of eachflip-flop variable (or the firmware equivalent); in order to recreate aproper output sequence.

When operated as a stream cipher, typically, a new 128 bit random number“secret session key” will be generated, and encrypted, typically with auser's public asymmetric key to be part of the header of the encryptedfile or with a derived key which is a known function of the base secretkey.

When the encryption is part of a large file, the option of insuring pageand mask synchronization is increasingly important as loss of pagesynchronization is tantamount to error propagation in all conventionalchained block encryption methods, e.g., DES. In the 32 bit Synch & PageTarget Register, a target address is loaded. The least significant 4 to10 Page Equality bits of the target address signify if and when aninterrupt signal will flag the host, to program a transmission. At eachsampling of the Intermediate Correlation Immunizer, the Mask Synch &Page Counter is incremented.

Interrupts

Two interrupt signals are generated by the Equality Logic Array, (adouble comparator). The 3 bit Page Equality (Select) signifies how manyLS bits of the Mask Synch & Page Counter are to be compared to thetarget address to trigger an interrupt. The page interrupt typicallyserves to insert the present Mask Synch & Page Count number into theheader of a transmitted packet, to aid the receiver to synchronizepackets (pages), as in long Internet transmissions, packets travelingseparate routes are often not received in the proper sequence.

A “Target” interrupt is issued when the Mask Synch & Page Counter andthe Synch & Page Target Register values are equal. Typically, this isused with one of the Synch to Target commands, which prepare anencryption mask for decrypting from an intermediate point of a longfile.

Bias and Aberrations

Experience has shown that single and multiple bit biased aberrations ofnLFSRs unexpectedly occur, as all stages and all individual bits of anLFSR are intuitively unbiased. All seemingly unbiased output bits of allnLFSRs in all three tiers, are XORed to at least three other seeminglyunbiased variables. This guarantees reasonably close to zero bias forall random strings.

With good reason, it can be assumed that few nLFSR bits will be biased.In the following exaggerated example, two input to XOR bits are bothheavily biased. If biases are binary mirror symmetric (one bit isheavily biased to “1”, and the complement bit is heavily biased tozero), the statistics are complementary.

The first example shows how three stages of XORing of two unlikelybiased bits, the final result statistic is free of bias. The secondexample shows that if only one bit of the pair is biased, the result bitis unbiased.

A (0.7 to 0.3) biased to zero x'th bit with output improved by XORing-

Probability Probability Proba- The 4-x_(i) of of Output Probabilitybility ⊕ x_(j) i'th j'th Bit_(i) ⊕ of a “0” of a “1” Samples input inputBit_(j) Output Output 0 ⊕ 0 0.7 0.7 0 49% 0 ⊕ 1 0.7 0.3 1 21% 1 ⊕ 0 0.30.7 1 21% 1 ⊕ 1 0.3 0.3 0  9%

Average XORed output x'th bit—58% “0”s to 42% “1”s, a 60% reduction ofbias.

Where the previous result biased bits are again XORed-

Probability Probability Proba- The 4-x_(i) of of Output Probabilitybility ⊕ x_(j) i'th j'th Bit_(i) ⊕ of a “0” of a “1” Samples input inputBit_(j) Output Output 0 ⊕ 0 0.58 0.58 0 33.6% 0 ⊕ 1 0.58 0.42 1 24.4% 1⊕ 0 0.42 0.58 1 24.4% 1 ⊕ 1 0.42 0.42 0 17.6%

Average XORed output x'th bit—51.2% “0”s to 48.8% “1”s an 85% reductionof bias.

and after at least one more serial XOR of the resulting bits-

Probability Probability Proba- The 4-x_(i) of of Output Probabilitybility ⊕ x_(j) i'th j'th Bit_(i) ⊕ of a “0” of a “1” Samples input inputBit_(j) Output Output 0 ⊕ 0 0.512 0.512 0 26.2% 0 ⊕ 1 0.512 0.488 1 25%1 ⊕ 0 0.488 0.512 1 25% 1 ⊕ 1 0.488 0.488 0 23.8%

Average XORed output x'th bit—50% “0”s to 50% “1”s, miniscule bias—closeto 100% removal of sensed bias for what might be considered animpossible FSR output.

Example of a biased bit XORed to an unbiased bit.

Probability Probability Proba- The 4-x_(i) of of Output Probabilitybility ⊕ x_(j) i'th j'th Bit_(i) ⊕ of a “0” of a “1” Samples input inputBit_(j) Output Output 0 ⊕ 0 0.7 0.5 0 35% 0 ⊕ 1 0.7 0.5 1 35% 1 ⊕ 0 0.30.5 1 15% 1 ⊕ 1 0.3 0.5 0 15%

Average XORed output bit—50% “0”s to 50% “1”s

Showing that XORing an unbiased bit with a biased bit results in anunbiased output.

Proof: For a bias of ε, where one polarity, e.g., 0, has a probabilityof 0.5+ε, the complement polarity would then be 0.5−ε, where ε<<0.5.

First polarity, e.g., “0”, output for 0⊕0 and 1⊕1, would be the sum ofa) and b):(0.5+ε)(0.5+ε)=0.5²+ε+ε²  a)(0.5−ε)(0.5−ε)=0.5²−ε+ε²  b)with an average bias of 0.5+2ε². As ε<<0.5, 2ε²<<ε, for ε=0.02 (a hugebias), 2ε²=0.0008<<0.02. (Note, ε is by definition less than 0.5, as0.5+0.5 defines a probability of one, and there can only be a singlepolarity, “1” or “0”.)Loss of Entropy with the Pseudo-Brownian Permutation or Simple Rotateand XOR Permutations

There is a small loss of entropy when a proper permutation of a randombinary string is XORed to itself. The input into the pseudo-BrownianAuto-XOR is the present value of the tiers two nLFSRs. Minimally, thereare two seemingly uncorrelated inputs for each possible auto-XORedoutputs; e.g., a two to one mapping. Suitable displacement vectors canbe constructed to cause 2, 4, 8 and even 16 to one mapping.

The contrived displacement vectors of this invention are rotatedversions of the same “Brownian” orientation is used on all three tiers.The XORed result of the three tiers we consider to be a correlationresistant non-linear summation which, assuming that the nLFSRs canassume any value, the result is one of 2³²/2 seemingly colored randomvalues, with the single constraint that the number of ones is even,e.g., in the 32 bit string there are 0, 2, 4, 6, . . . 30, 32 ones and32, 30, . . . 6, 4, 2, 0 zeroes respectively. The “color” is removedsubsequent to the Hash Permutation by the ODDN complementors.

The Brownian auto-XOR mapping reduces the necessary number of threeclock activations of the three tiers between samplings to the presenteconomical single clock activation where only one seemingly random tieris activated at each sampling.

In a binary string with an even number of binary bits; the result ofXORing the original string with any permutation of the original stringwill always result in a third string which will have an even number ofones and an even number of zeroes. We call these output strings, “evennumbered strings”, ENSs, and note that ENS_(i) XORed to ENS_(j) producesENS_(k), a third “even numbered string”. As all three tier outputs areENSs, albeit each with a reduced different combination of possibleoutputs, then the input to the Hash Permutation Matrix is also an ENS.Though such strings passed DieHard and NIST, as will be seen in the HashMatrix section, we randomly complement an odd number of the ENS bits toproduce ONSs, “Odd Number Strings”. Duality exists with the normalexclusive OR function, e.g., ENS_(i)XOR ONS_(j)=ONS_(k) and ONS_(i)XORONS_(j)=ENS_(k).

Two pseudo-Brownian vectors of the three Brownian displacement vectors,when XORed to the tier nLFSR pair concatenation output create a two toone mapping, i.e., each of the 2³¹ outputs is an ENS, and all ENSsappear twice, when the full 2³² word sequence is generated.

The TOP Tier Reversed Pseudo-Brownian Motion bit permutation vector is atwo to one mapping:

a) 19, 18, 17, 16, 15, 14, 13, 12, 31, 30, 29, 28, 27, 26, 25, 11, 10,9, 8, 7, 6, 5, 4, 3, 2, 1, 0, 23, 22, 21, 20, 24.

The MIDDLE Tier Reversed Pseudo-Brownian Motion bit permutation vectoris also a two to one mapping:

b) 20, 24, 19, 18, 17, 16, 15, 14, 13, 12, 31, 30, 29, 28, 27, 26, 25,11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0, 23, 22, 21;

The BOTTOM Tier Reversed Pseudo-Brownian Motion bit permutation vectoris a four to one mapping:

c) 24, 19, 18, 17, 16, 15, 14, 13, 12, 31, 30, 29, 28, 27, 26, 25, 11,10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0, 23, 22, 21, 20.

Similarly, a single or triple right or left hand rotate maps into a 2 toone mapping, a double rotate, maps into a 4 to one mapping, and aquadruple right or left hand rotation maps into a 16 to one mapping.

Sources of Uncertainty

The sources of uncertainty of the output of the ZK-Crypt include:

1) A missing pulse randomizing clock operative to cause uncolored randomtrauma to nLFSR sequences with an average aggregate frequency of morethan ⅚ of the primary clock frequency.

2) The randomizing clock when activated by the primary clock,synchronized to the system clock issues a synchronized stream with“missing” pulses. In a preferred embodiment, the stream is driven byinputs from the mechanism that detects n−1 zeroes in each of the 6unique nLFSRs, (n=13, 14, 15, 17, 18, and 19), and the feedback outputsfrom the 17 and 13 bit nLFSR. In the randomizing clock, two “many toone” LFSRs transform these aberrations into a colored pseudo-randomoutput sequence, where the probability of an output pulse being a one isapproximately 0.841.3) The three control units which are driven by the randomizing clock,operative to transmit seemingly random pulses, to randomly selected ODDNXOR switches and configuration signals to the tier select and clockcontrol. Aberrations of the control sequences are driven by internallygenerated random inputs to the seemingly random counter that defineswhen the slips and configuration changes occur; and also aberrations byfeedback bits from all six nLFSRs; and an internal pseudorandom LFSRthat defines via the slip encoder which nLFSRs endure a slipdisplacement.4) Each nLFSR progresses from one pseudo-random stage to the next stage,where the sequence is aberrated by a maximum feedback length One to Manyfeedback configuration where at least six flip-flop outputs mutate theshifted bits, when a feedback signal F_(B) is a “1”. The nLFSRs arenon-linear in the sense that the stage in a sequences is randomlychanged by slip pulses occurring at uncorrelated instants and by asensor that inserts an all zero word into the set of 2^(n) possiblewords of each nLFSR where the three aberrating signals are XORedtogether in the feedback.5) When in a feedback mode, a non-linearized, correlation immunizedprevious word result is fed back into the three tiers (all of thenLFSRs). Only tiers which are activated are affected by theinstantaneous feedback. There is a maximum current consumption option,where all three tiers are activated at each Sample. The feedback mode ismandatory, only for message authentication signatures.6) When Sampled, the output, X_(i) of each tier is scrambled into apseudo-Brownian word, X_(j), and the two words are XORed to produce anoutput word, Y, the bits of which are reasonably assumed to be unbiasedand less correlated to the original X_(i). (See Rotate and XOR TierOutput Word for a software “friendly” alternative to the Pseudo BrownianMotion displacement function.)7) At each sampling, the output of the three tiers is XORed into asingle word, regardless if an individual tier is or isn't activated atthe sampling cycle.8) The result 32 bit word of the three tiered XOR is, in a preferredembodiment, input into a hash matrix, operative to scramble (hash) thebit placement of the output word. In a preferred embodiment, the matrixconsists of four permutations. The matrix vector permutation selector isa randomly juggled 4 bit Johnson Counter.9) The output of the hash matrix is modified randomly by one of 16combinations of seemingly random vector odd numbers of XOR gates (ODDNfilter) which complement randomly selected bits of the Hash Matrixoutput.10) The output of the ODDN filter is input into the CorrelationImmunizing Intermediate Store and Hi-Level non-Linear Combiner of thetwo last inputs.11) The Stream Cipher Pseudorandom Encryption Mask is XORed to theMessage word (either plain text to be enciphered, or cipher text to bedeciphered).12) A second Correlation Immunizing Store and Hi-Level non-LinearCombiner accepts an input word (typically, the encryption mask for RNGand SCE modes) when in Feedback mode, wherein such correlation immunizedword is fed back to the three tier inputs.

The method of this invention is implemented in hardware and software,wherein software solutions are compatible but less time and energyefficient than the hardware depicted in the drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is described in conjunction with the drawings inwhich:

FIG. 1 is a simplified functional block diagram overview, depicting theinteraction of main functionalities of the invention.

FIG. 2 is a more detailed functional block diagram, showing essentialinput/outputs to the ZK-Crypt from a computerized Host.

FIG. 3 is a simplified block diagram of the Finite State Machineoperative to synchronize external controls, and supply necessary clockpulses.

FIG. 4 is a simplified block diagram of an integrated clocking deviceoperative to output either colored pseudo-random or random pulses,synchronized to the primary clock input.

FIG. 5 is a simplified block diagram depicting the method of parsingpackets of “message” into pages, or into a targeted address, wherein adual comparator transmits page and target address interrupts.

FIG. 6 is a simplified block diagram depicting the integration of thetop, middle and bottom control units, operative to select ODDNcomplementors, to activate tiers singly, or in groups, and to emit slipdisplacement pulses.

FIG. 7 is a simplified diagram of the data processing modules driven bycontrol devices of FIGS. 3, 4, 5, and 6.

FIG. 8 is a simplified functional block diagram describing the Top,Middle and Bottom control units, operative to drive the tier selects andclock control, the ODDN switches, and the slip encoder of FIG. 6.

FIG. 9 is a matrix table demonstrating the permutations on the 3 tierXORed word directed by the Johnson Counter Random Stepper of FIG. 10,and the ODDN switches.

FIG. 10 is a state diagram depicting the operation of the joggledJohnson Counter Random Stepper operative to activate the Hash vectors ofFIG. 9.

FIGS. 11A and 11B show the typical circuitry of a Multiple Return nLFSR(13 Bit nLFSR of the Top Tier) with mechanism for loading, forprocessing slip pulses, and to accept optional feedback words.

FIG. 12 is a mapping of the Top Tier of 13 and 19 bit nLFSRs output, Xvector, into the pseudo-Brownian Y vector, with controls and MACFeedback.

FIG. 13 demonstrates the chaining of the MAC message inputs into the Estages of the Hash digest, and the unchanged signature sequence.

FIG. 14. is a block diagram describing the optional Feedbackconfiguration options for Random Number Generation and Stream Ciphering,and the digested Message Feedback operative in Message AuthenticationCoding.

FIG. 15A and FIG. 16A are block diagrams depicting correlatingimmunizing and non-linearizing combiners, with memory and pseudo carryinteractions. These combiners serve as the RNG output and the Mask forSCE, and also as the Feedback store, principally for the MAC.

FIGS. 15B and 16B depict preferred circuit embodiments of FIGS. 15A and16A.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Commands

In the preferred embodiments as illustrated in FIGS. 1 to 16, thefollowing commands, interrupts and data input and output are operativeto execute the variety of modes of random number generation, streamciphering and message authentication coding, RNG, SCE and MAC,respectively.

Always With Brownian Dis/En enabled and Always Brownian/ Brownian RndBrownian the output of all 3 tiers auto-XORs the Brownian FIG. 8displacement vectors with the nLFSR vector. (See Rotate and XOR TierOutput Word for a software “friendly” alternative to the Pseudo BrownianMotion displacement vector.) Brownian See Always Brownian andDisable/Enable Controls Brownian. (In software “friendly” applications,the FIGS. 2, 6 Brownian Displacement is typically replaced by arotational displacement.) Cipher Reset An asynchronous command usedprior to loading the FIGS. 2, 3, 4, 5, Initial Condition variables forStream Ciphering or 6, 8, 11 Message Authentication. All variables mustbe Set to the initial nil condition. Typically, this is the initialcondition for Message Authentication. Cipher Preset A double stepsynchronous command which follows FIGS. 2, 3, 6, 8 Cipher Preset andsubsequent Host loading of all ZK- Loadable secret and non-secretvariables (which typically includes an initial Message Word). CipherPreset loads the counter for the Wait and Sample sequence (even if notused) and inserts a first value, derived from the Register Bank in theIntermediate Store, and the Feedback Store (if enabled). Crypto-MessageIn a preferred embodiment a 32 bit message word. In In a typicalhardware implementation the Message FIGS. 1, 2 Word resides in an outputport of the Host during the interval when the Sample Command isactivated. Data Result Out In Single and Multi-Step RNG/SCE/MACoperation FIGS. 1, 2, 7, 14 the host reads the relevant results afterthe Sample Step. In a typical hardware implementation, this valueresides on a Host input port and is not latched in the ZK-Crypt. DisableFor testing, for compliance with a software device Brownian/ and forusers' demanding low current consumption, Enable Brownian the optionexists to disable FIG. 8 the Brownian displacement vector auto-XOR. Thisis not advisable, as there is virtually no loss of entropy, and any longterm bias on any bit within the tier is lowered drastically. (See Rotateand XOR Tier Output Word, in Software “friendly” applications.) EnableFree Run Enabling the Free Run RNG couples the Primary RNG ClockDirectly to the System Clock, thereby FIGS. 2, 3 activating (stepping)the chosen Tiers of the Register Bank for the duration of the Enablecommand. When the device is in a non-deterministic random numbergeneration mode, particularly when initializing the ZK-Crypt to a randomunpredictable initial condition, exercising the Register Bank and thecontrols for seemingly random intervals, uncontrolled by other Hostcommands is recommended. Preferably Single Tier activation for separateseemingly random intervals is recommended for initialization.Enable/Park The command that enables the System Clock, and FIGS. 2, 3hence the plurality of ZK-Crypt functions. In most implementations, thePark Mode reduces current consumption during intervals when the ZK-Cryptis not operating. Park does not change variable values. Enable ODDNEnables the output of TOP, MID & BOT ODDN FIGS. 4, 6 Permutations andthe ODD4 Complementors each of which adds confusion, and complementsEven Number Strings to/from Odd Number Strings. Enable Single Typically,the Top/Middle/Bottom Controllers select a Tier single Register Banktier (to be shifted) in a Select seemingly random sequence. FIGS. (1), 6When the Enable Single Tier Select is active (“1”), the Host isoperative to override these single tier selects, and is operative toselect any combination of one to three tiers to be shifted when aprimary clock is activated. Enable Synch The enabled Synch Counter isoperative to receive a Counter count increment pulse at each instantthat a Sample FIGS. 2, 3 pulse is generated. When the Synch Counter isdisenabled, the Equality Comparator and the Synch Counters are in asleep mode. Feedback A/B Feedback Multiplexer A is operative to inputthe FIGS. 2, 14 masked value of a Message Word into the Feedback Store.The Message Authentication method is operative via Multiplexer A.Feedback Multiplexer B is operative to input the Cipher Mask output intothe Feedback Store. An optional mode with stream ciphering. FeedbackMode When in Feedback Mode, the ZK-Crypt can increase (Select = 1)diffusion and confusion of device/method variables FIGS. 2, 14 andconsequent output data by storing a previous partial word result in theFeedback Store, to subsequently complement bit values of activated tiersof the Register Bank. The MAC digest operation consists of feeding backmasked results of Message Words into the Register Bank, therebydiffusing the binary Message Words bits into the binary values of theRegister Bank. Load Commands Commands and Registers for Loading theRegister FIGS. 2, 3, Bank, the Controls, and the Synch Comparator 4, 5,6, Register are Host dependent. 10A, 11 In the native 128 bit key, allsecret I.C. variables are loaded directly. Additional secret inputs areimplemented with proprietary protocols feeding message words via theFeedback Store into the Register Bank. All variables, native and obscureare initially set to default values, generally zero, by the Cipher ResetCommand. The native 128 bit I.C. variables consist of the 3 tiers of theRegister Bank, and the Cipher Control word, which are each loadedseparately, after Cipher Reset. Extending the secret keyed initialcondition space to include all obscure variables is typically enacted inthe Single Step MAC Feedback configuration, wherein a plurality ofsecret words are preloaded (after Cipher Reset), with the Synch CounterDisabled. Multi-step The asynchronous command for preparing a Synch toTarget decryption mask to start from a targeted word FIGS. (2), 3distanced from the first masked word by the target number (T) in theSynch Control Comparator. The ZK-Crypt executes the Wait and SampleCommand T + 1 times, and then generates an interrupt to the Host,leaving the proper mask for continued encryption. During each step, aprimary pulse activates the Register Bank. During the last step, aSample pulse also latches the previous Hash Matrix —ODDN permuted outputinto the Intermediate Store, and optionally latches a value into theFeedback Store. Page Equality A three bit number operative to regulatean output FIGS. 2, 3, 5 interrupt to the host, to signify an end of pageof encryption masks. The Synch Comparator triggers the interrupt whenthe “Page Equality” designated number of Least Significant bits in theTarget Register equals the same Least Significant bits of the SynchCounter. The preferred embodiment page size is between 4 bits (16 masks→ 16 × 32 = 512 bits of encrypted data in a page) to 10 bits (1024 masks→ 32K bits of encrypted data in a page). The Synch Counter is typicallyconnected to a Port in the Host, such that at each page end atransmitter can precede the next page of encrypted data with the totalor a portion of the total Word count number in the Synch Counter. Theall zero (000) Page Equality input deactivates the Page Interrupt flag.Sample Delay A 4 bit (constant —part of configuration) input Vectorspecifying the number of primary clocks which FIGS. 2, 3 activate theRegister Bank prior to an automatically activated Sample Command, usedonly with the Wait and Sample command. The binary vector 1000 = 1 is nota valid input. Single Step RNG/SCE/MAC activation of the ZK-Crypt is thepreferred mode of operation and is not affected by the Sample DelayVector. Single/Dual In the prior art, and in specific preferred ClockMode embodiments of this patent, simultaneously FIGS. 2, 4 interactinguncorrelated oscillators are used as a physical random source for randomnumber generation. Obviously, an unpredictable clock source precludesdeterministic number generation, as demanded by ciphering and messagevalidation. To establish unpredictability in number generators, whereinthe output is read directly, the result must be read at randomintervals, else, predictable patterns are recognized by standard testingprograms. The ETSI specifications for wireless devices preclude the useof a frequency source which is not a derivative of the system clock.Many of the chip manufacturers disregard this edict. Typically, an ETSIacceptable device uses an autonomous clock to initialize a random numbergenerator with a sufficiently large number of variables, operative togenerate an initial condition which is intractably difficult to predict,during the power-up time interval, whence the device is neithertransmitting nor receiving data. A dual clock mode, wherein anautonomous oscillator useful for enabling unpredictability to a user whohas extensive knowledge of the initial condition of the system, whereinsuch user has no relevant constraints on temporal current consumption,or is not in danger of generating noise in the specific electroniccircuit. The autonomous oscillator typically is activated only when theprimary clock is active, in Host defined commands, which typicallyinclude single, burst, or free run primary clock activation. Theautonomous clock is only activated for random string generation,typically, for establishing initial random string conditions. Theautonomous oscillator is activated by the Dual Clock Mode bit. TheSingle Clock Mode is typically the default mode for RNG, SCE and MACapplications. When only the Single Clock Mode is allowed, the ZK-Cryptmechanism is typically first loaded with a secret seemingly random seed.Typically, ring oscillators are used as sources for the uncorrelatedclocks. In software implementations, there is typically no directequivalent to an autonomous oscillator. Typically, the user will seedthe ZK-Crypt software implementation with the RNG functions of the CPU,and then continue seeding with random input messages in the MAC Feedbackconfiguration. Real randomness in both software and hardware preferredembodiments is obtained, typically, by non- deterministic activationscaused, typically by Host derived random intervals caused by users'depression of key switches on keypad. All signals generated by the clockdevice of FIG. 4 are synchronized to the primary clock which istypically synchronized to the system clock. Single Hash A test commandthat restricts the Hash Matrix Rule Vector to a single Permutation,primarily for testing. When Mode in Test Mode Presetting the IC controlbits 26 and 27 (Test) Select = 1 to “1” (11), directly connects the HashMatrix Inputs FIG. 10A to the Hash Matrix Output. Single Step The mostefficient and preferred mode of operation RNG\SCE\MAC for Random NumberGeneration (from an Initial FIGS. 2, 3 Condition (Random)); streamcipher encryption and decryption; and message authentication. A singleconcurrent primary clock pulse and Sample pulse, activates the selectedtier and latches the previous output of the ODDN permuted Hash Matrixinto the Intermediate Store and optionally also into the Feedback Store.At the end of the cycle, the RNG or SCE result; a random number string;or an en/decrypted message word appears on the result bus, valid untilthe next Primary Clock pulse which activates the Register Bank. When inMAC mode of operation, the first stepped digest results are not read bythe Host, but are “recycled” into the Register Bank at the next step;the last “signature” steps, without Feedback recycling are read by theHost. Synch Num Out The Synch Counter value is preferably ported to aFIGS. 2, 5 Host Portal, and is readable at any instant. Typically, forwireless and Internet applications, a portion of the Synch Counter valuewill be transmitted by the Host at every Page Interrupt. In longInternet transmissions, wherein pages occasionally arrive at adestination at an unexpected order, the Synch Num Out typically willdirect encrypted pages to properly designated addresses in storagememory. Synch Target A Word input into the 32 bit Synch & Page TargetAddress Register. The Target value typically is the distance to FIGS. 2,5 the first word to be decrypted in a long file. Synch to Target Whendecrypting a file, starting at any word which is FIGS. 2, 3 not thestarting point, the decryption mask must be activated the “offset”distance from the beginning of the encrypted cipher text. The circuit ofFIG. 3 is activated either by the Single Step Synch to Target, in theSingle Step Mode, where at each cycle, a new unused mask is generated,or by the Multi-Step Synch to Target, wherein a new unused mask isgenerated at each Sample signal, using the Wait and Sample module. Theprocedure generates all unused masks, up to the Synch Target Address,whence an interrupt flag is raised. Synch to Page The Equality LogicArray regulates the number of Interrupt and value of the LS bits of theSynch and Page FIGS. 2, 5 Target Register operative to trigger aninterrupt. The Page Equality denotes one of the seven page lengths. SeePage Equality. Synch to Target An interrupt flag activated by theEquality Interrupt Comparator when the Synch Counter value is equal FIG.5 to the value in the Synch and Page Target Register. The SynchInterrupt initial value at Cipher Reset is FF...FF. Cipher preset resetsthe counter to 00...00. System Clock The System Clock is typically aderivative of the Host FIGS. 2, 3 clock. With the exception of the(P)Random Clock generator operating in the Dual Clock Mode, the SystemClock is the sole synchronizer/clock driver of ZK-Crypt. The PrimaryClock is derived from the System Clock and is active only when commandedby the Host. The System Clock is used to shape pulses. Top, Mid, Bot Thethree Tier Selectors which are operative to Tier Always enable any orall tiers when the Enable Tier Select is FIGS. (2), 6 at “0”. Typically,tiers will be activated singly for testing purposes. For thoseoperations demanding the complexity of three tiers, constant operation,all three Tier Always control bits will be “0”. Wait and Sample Theasynchronous command operative to activate the FIGS. 2, 3 Register Bank,a fixed number of steps wherein at the last step a Sample commandoutputs a new result.

FIG. 1 is a self explaining simplified functional block diagramoverview, depicting the ZK-Crypt device 15, which interacts with a Hostto implement the principal functionalities of the invention; RandomNumber Generation, RNG, Stream Cipher Encryption, SCE, and MessageAuthentication Coding, MAC. Typically for RNG, the host sends commandsto the ZK-Crypt 15 to generate a random initial condition, such thatsubsequent unpredictable Data Results Out words are read by the Hostpreferably one word at every System Clock delivered to ZK-Crypt 15.

Using the Seeded RNG as a Stream Cipher Mask

For the deterministic SCE the Initial Condition is the SecretEncryption/Decryption Key known to the encryptor and the decryptor,wherein the changing variables are the Running Encryption Key. The“Native” key, first loaded key, of the preferred embodiment, consistsfour 32 bit words, a control word is loaded into the control/clockmodule 20 and register bank 30 initial condition words are downloadedinto the nLFSR Register Bank.

Using the Seeded RNG as a Message Authentication Coder

For unkeyed MAC, the Host configures the Initial Conditions to apublicly known non-secret value. For secret keyed MAC 20 and 30 areconfigured with secret Initial Conditions as in SCE. After nativeinitializing, the secret key can be extended by another “Obscured” 70bits, by pseudo-encrypting at least three Message words, therebyinitializing new seemingly random values, into the Intermediate andFeedback Stores, and another six bits into non-directly programmableflip-flops, and simultaneously increasing complexity of the previouslyprogrammed native Initial Condition.

The register bank's tier outputs are XORed together into a 32 bit wordto be filtered in the Data Churn 40. The output of register bank 30 ispermuted by a Hash Matrix 50 followed by four randomly activated oddnumber bit Complementors, to preliminarily disguise correlation betweenstages of the tiers. In the output section 51 the two last outputs fromthe hash matrix 50 are combined in a non-linear correlation immunizingfilter with memory. The output of the combiner serves as the RNG output,and also as the Mask for the SCE, and the mask for the MAC message word.The two last 32 bit XORed results of the Mask and the MAC message wordare combined and held in the Feedback Store, to be fed back and digestedinto the nLFSR Register Bank.

DT2 The Basic Parts of the ZK-Crypt

FIG. 2 is an explicit guide to the interactive functional blocks showingthe essential input/outputs to the ZK-Crypt 15 from a computerized Host10. A brief description of the input and output signals, data andcommands is found in the previous table.

Clock Controls

The Clock Controls 150 are a combination of a finite state machine, FSM,an autonomous oscillator and a machine synchronizer. The FSM isoperative to exercise the nLFSRs free run, typically for randomintervals to establish initial conditions for the RNG, to operate thecontrols with the (P)Random Clock, either pseudo-randomly for thedeterministic SCE, MAC and for a randomly initially conditioned RNGmode. The FSM is operative to initialize an SCE encryption mask for“middle of the file” decryptions, to perform single step or multi-stepencryption/decryption, when the Register Bank is activatedsimultaneously when 150 issues a Sample command, or when the RegisterBank is exercised a number of steps before the Sample command. Module150 also performs the last step of initializing the Register Bank, thedelay clocks and the combiner 190. The Clock Controller also toggles theODD4 Toggle Complimentor.

Synch Control

The Synch Control 300 is operative to count the number of executedSample commands for mid file decryption, for interrupting the Host atthe end of a “page”, for interrupting the Host when a targeted number isreached. The Hash Control randomly steps the Hash Matrix 50 at eachSample command operative to change a matrix permutation. The TierControls module 110 consists of three autonomous Control units whichactivate the 3 tiers 120, 130, and 140 randomly one at a time, ortogether, sending Slip pulses at random instants either to the left orright hand nLFSRs in the tiers, regulating the Brownian auto-XORpermutations and randomly switching three of the four odd numberComplementors in 50.

Data Churn

The Data Churn 40 is operative to process the output of the RegisterBank 30 when the Clock Controls 150 sends a Sample pulse. The HashMatrix and ODDN Complementors 50 together form a seemingly randomcombination of 64 displacement and complementary permutations. TheCombiner 190 pseudo half adds the two last Sampled outputs of the Hashmatrix. Rueppel has shown that the Combiner 190 operation successfullyeliminates any correlation between the output and any of the subelementsin the non-linear Feedback Shift Register Bank 30.

In the RNG mode, the output of 170 is typically the Data Result Out.However, an atypical User has the option to further mask the randomnumber output with a message word in message combiner 190. Typicallymessage combiner 190 XOR combines a Message Word, for either the SCEmode or the MAC digest mode with the Mask output of 170.

The Feedback Mux Store & Correlation Immunizer 400 is similar to thepseudo half adder in 170 principally operative to add diffusion to theMessage digesting function of the MAC.

DT3 Clocking Functions

FIG. 3 is a simplified block diagram of the Crypto Function TimingControl Circuitry operative to synchronize external controls, and supplynecessary clock pulses. The Timing Control Circuit is designed toregulate all of the initialization and operative phases of the SCE(Stream Cipher Encryption)\MAC (Message Authentication Code)\RNG (RandomNumber Generation) modules with mode options for variable complexity,speed and power consumption.

Other Clock Modes

The ZK-Crypt consumes minimum energy when the gate 151 is set in Parkmode, thereby disabling the System Clock, and when the Source Clock,FIG. 4, is in Single Clock Mode, and the Ring Oscillator 205 isquiescent. Setting gate 152 in Free Run Primary mode, typicallyexercises the ZK-Crypt in a higher current consumption mode, operativeto randomize tiers for RNG functions.

Initialization

Initialization of the ZK-Crypt via the Function Timing Control Circuitfor SCE and MAC functionality (and also for testing functionality of theZK-Crypt) must always commence with the (global) Cipher Reset.(Resetting the ZK-Crypt prior to generating random numbers typicallyreduces entropy, and is not advised.) Following the Cipher ResetCommand, the Initial Conditions of must be loaded, including the threetiers 120, 130 and 140 and the Control Word which consists of values inthe 26 bits into Tier Controls 110, 2 bits into the Hash Controller 54and 4 bits into the Clock Controls 150. In another preferred method ofinitializing the ZK-Crypt, after Cipher Reset and loading ControlConstants, a series of secret initial condition Message words arepseudo-digested in MAC feedback mode, thereby diffusing secret valuesinto the binary variables of the ZK-Crypt.

For Multi-Step RNG, SCE, or MAC operation the constant non-secret SampleX Delay Vector input into the 4 bit X Counter 157 is set, as are allother configuration settings, prior to issuing the Cipher Presetcommand. The Delay Vector number, (MS bit right hand) is the totalnumber of Primary Clocks (including the Sample Clock) that the RegisterBank will be exercised for a single Sampled output. “0100₂” to “1111₂”(2 to 15) are valid inputs. Single Step operation, wherein the Samplepulse and a single Primary pulse are emitted simultaneously is actuatedby the Single Step RNG/SCE/MAC command, which is oblivious to the DelayVector setting.

Presetting of the control constants prepares the circuit for Single orMulti-Step nLFSR Register activation, for single system clock(deterministic) or dual clock (random) operation; for single tier (lowpower) or triple tier (higher complexity) nLFSR activation (at eachPrimary Clock) and for message feedback (increased complexity RNG, SECor normal MAC functions). The Cipher Preset, then exercises a singlestep, wherein the Sample Delay Counter 157 is loaded, and theIntermediate Correlation Store 170 is loaded whilst the Tiers areactivated for a single shift. The Feedback Mux Store 400 remainsunchanged, unless a Message Word not equal to zero is resident inmessage combiner 190.

For SCE and MAC the deterministic Key is normally a seed of 128 bits, 32bits in each tier and 32 bits of control word.

Extending the secret keyed initial condition space to include allobscure variables is typically enacted in the Single Step MAC Feedbackconfiguration, wherein a plurality of secret words are loaded intomessage combiner 190, and subsequently typically three or more SingleStep commands are issued, (after Cipher Reset), with the Synch CounterDisabled, diffusing the Message bits into the new Initial Condition.Such an extension adds another 70 binary variables for a total of 198bit new Initial Condition.

Single Step Operation

Single Step ZK-Crypt operation is the preferred mode for commercial andcivilian applications. In Single Step RNG or SCE operation the ZK-CryptSamples and outputs 32 bits of cipher text; or Samples and outputs anunpredictable string of 32 bits at every step of operation. When in MACmode, in a first phase, the ZK-Crypt digests 32 bits of message text ateach clock, then in a second phase outputs, at each clock, 32 bits ofmessage identifier code. The function, during a Single Step cycleactivates the Random Clock Generator, the Top, Mid and Bot configurationcontrollers, and, via the Intermediate Store, “draws” the random signalsthrough a myriad of randomized glue logic filters: and XORs the 32 bitvalue with the previous 32 bit value stored in the in the IntermediateStore.

Page and Target Synch Counter/Comparator 300 (elaborated in FIG. 5),counts to the page set by the 3 bit Page Equality constant, operative tointerrupt the Host. The Target count is set to halt the Multi-Step Synchto Target or the Single Step Synch to Target for mid File start ofDecryption mask preparation.

The Initial setting of the ZK-Crypt for SCE or MAC modes is, in eachcase, is a “known” value. For SCE, this must be a secret value, known tothe encryptor and decryptor. If the MAC initial setting is a secret,this is an equivalent to a keyed hash value, wherein only the “owner” ofthe confidential value can ascertain the authenticity of the hash.

Typically, the MAC will be performed, in a specific environment with thesame initial condition (note above, typically after reset and preset toa constant initial condition). The strategy for exchanging anddetermining SCE keys for each data set is typically unalterable, once aparticular strategy based on client demands is established. An SCE keyset, typically, is never used more than once.

Wait and Sample is the asynchronous operation to increase complexity ofresults in all three modes, using the Delay Vector value to define the“Wait”.

Preventing MAC Collisions

In the MAC configuration accelerated diffusion of single bits is ofprimary importance to prevent “collision”. Collision describes the eventthat a change in the ZK-Crypt variables caused by one alteration in aMAC Message, e.g., “Deposit $150” to “Deposit $150000”, can becompensated for in another place in the same message, e.g., change “BestRegards” to “All the Best”, wherein the final MAC signature will beidentical. In the single step, multi-tier configuration at least fourbits out of the 32 bits are toggled by a single bit change in themessage. Each additional rotational step (clock cycle) of the registerbank increases the diffusion, until after four rotations, the average of“hits” and “misses” will be equal.

The Single Step Synch to Target input activates a synchronous procedurethat increments the ZK-Crypt engine from the initial setup condition tothe “targeted” index number of the mid file encryption word. In streamcipher encryption, typically, the cipher masks (the obscure conditionsof the variables in the encryption engine) are not affected by theMessage that is being encrypted. Therefore, in single step modedecryption, each Primary Clock activation increments the engine for a“distance” of one word from the start of the file; and in this mode, theengine is incremented to the distanced word indexed in the “Synch Target& Page Comparator”. For applications driven by a finite state machine,where the outputs are DMA (direct memory accessed) placed in a file,this command could be used for filling a “One Time Pad” memory devicewith a long secret key file.

Synch counting is typically essential for synchronizing longtransmissions over multi-channeled networks, e.g., the Internet. Whenenabled the counter in 300 is incremented at each Sample command.

Modes of Primary Clock Operation

There are five modes of Primary Clock operation:

i) Single pulses are emitted when the ZK-Crypt is activated by the“Single Step Encrypt/RNG/Authenticate” Command. This single step pulsedPrimary Clock cycle activates a Sampling flag that loads theIntermediate Store (and optionally the Feedback Store), clocks the “5 of6 Random Clock” (in Single Clock Mode) and synchronizes the (P)Randomoutput, and simultaneously clocks the Register Bank. The command tosingle step is typically issued at arbitrary intervals, by the Host. Ateach clock, the output is typically read by the Host.ii) A burst of X pulses (defined by the Sample Delay Vector input),wherein at each Multi-Step Command flag (X−1) pulses activate the 5 of 6Random clock and the Register Bank, and on the last X'th pulse, thePrimary Clock additionally activates the Sample Command to load theIntermediate Store (and optionally, the Feedback Store) and optionallypulse the Synch Count.iii) A long sequence of pulses, wherein the “Single Step Synch toTarget” activates the Primary Clock; simultaneously activates a Sampleto the Intermediate (and optionally to the Feedback) Store(s); and alsoemits a pulse to the Synch Count; this sequence repeated until thedecryption mask is set for decoding the cipher text starting from thespecified word in mid file.iv) A long sequence of pulses, wherein the “Multi-Step Synch to Target”activates the Primary Clock to “churn” the random controllers and theRegister Bank a defined number of pulses; and at the last pulse of eachmulti-step cycle activates a Sample to the Intermediate (and optionallyto the Feedback) Store(s); and also a pulse to the Synch Count,repeatedly until the decryption mask is set for decoding cipher textfrom the defined word in mid file.v) A free run activated Primary Clock to “churn” the random controllersand the Register Bank an undefined number of pulses for increasingcomplexity in random number generation. The generator is typicallyeither operating in Dual Clock Mode, wherein the random controllers willbe activated by the autonomous oscillator, with the output synchronizedto the Primary Clock, or in Single Clock Mode, typically after randominitialization of the ZK-Crypt. The Sample to Intermediate and FeedbackStores are activated to output a random string. The Synch Counter wouldtypically be redundant in the RNG mode.

The Synch Counter with its auxiliary Comparator is enabled to count bygate 154. Typically 300 counts the encrypted and digested MessageAuthenticated words, and outputs flags (interrupts) to denote new pagesand/or an end of defined operations, as for mid file decryption orproving to a remote communicant that data packets have arrived in theproper sequence.

DT4 (P)Random Clock

FIG. 4 is a simplified block diagram of an integrated clocking deviceoperative to output either colored pseudo-random or random pulses,synchronized to the primary clock input.

Two alternate clocking sources drive the (P)Random Clock Generator 210.The most important is the Primary Clock, see FIG. 3, which is operativeto drive and synchronize the Generator 210 in all modes of operation.For RNG functions wherein a Ring Oscillator 205, in the clock source 201of the generator 210 neither interferes with the normal operation of theHost 10; e.g., the free running frequency does not interfere withwireless transmission and reception, nor does the increased currentconsumption inordinately drain the battery; the Dual Clock Mode ispreferable for increased entropy.

The Clock Generator 210, is operative to drive the randomizing ControlUnits in FIGS. 6 and 8, at about 84% of the speed of the Primary Clock.Stated differently, occasionally the (P)Random Clock output does not“mirror” the Primary Clock, as one or two pulses are “randomly” missingfrom the Host commanded Primary Clocks. This means that the randomtriggered outputs of the Control Unit are seemingly even lesscorrelated.

The (P)Random Clock Slip pulse from FIG. 6 aberrates the stages of a 5celled nLFSR in 210, without changing the serial output statistics. A 5celled nLFSR with the NOR gate insertion of the all zero stage, see FIG.11A, with or without a Slip aberration has an average random output ofone half ones. Such a five celled nLFSR's NOR gate serially outputs aone at 2/32 of the instants. A two celled native LFSR's stage sequencewithout the NOR gate extension does not include the “00” stage (unlessthe initial condition is “00”); i.e., the native serial average outputis ⅔ ones and ⅓ zeroes. The seemingly random NOR generated ones are ORedto the feedback of a two celled nLFSR to raise the average ones outputof the 2 bit nLFSR to ⅔+⅓· 2/32.

The ZK-Crypt operates in Single Clock mode for all deterministicoperations, wherein the generator 210 is synchronized to the PrimaryClock. When the generator 210 is operating in the RNG Dual Clock Mode,it is typically, not synchronized to the Primary Clock pulses. Thesynchronizing block 220 shapes output pulses to assure that clockingdevice 200 outputs will be synchronized to the Primary Clocked ZK-Cryptfunctions. Flip-flop pair F1 and F2 with NXOR output the (P)Random Clockwhich drives FIGS. 6 and 8. Toggle flip-flop F1 changes polarity whenthe T input is one as the Primary Clock signal rises from zero to one,in the first half of the clocked period. Data type flip-flop F2, assumesthe output binary value of F1, as the Primary Clock signal falls fromone to zero in the second half of the clocked period. NXOR gatetherefore outputs a zero in the first phase of a Primary Clock pulsewhen the T input is a one and the NXOR gate of 222 outputs one at allother instances. Flip-flop 223 outputs the complemented output value ofthe 5 celled nLFSR of 210. This generates the full period Juggle HashToggle of FIG. 10, operative to be one, typically one half of the time.AND gate 224, generates a full clock period one at any rising PrimaryClock pulse coinciding with a one output from the second LS cell of the5 celled nLFSR of 210, Q₁.

DT5 Block DIAG Synch Top & Page Interrupt

FIG. 5 is a simplified block diagram depicting the device of parsingpackets of “cipher text message” into pages, and/or interrupting asequence at a targeted address, wherein a dual purpose comparatortransmits page and target address interrupts.

Stream ciphers are probably the most used symmetric encryptionmechanism, especially suitable for transmission over noisy channels, aswhen encryptor and decryptor are bit wise synchronized, faulty bits donot propagate error. To the best of the inventors' knowledge, no costeffective method has been devised which successfully bit-wisesynchronizes on the fly. Frame or packet synchronization as practiced inconventional communication and is implemented in 300, can be lessefficiently embedded in firmware. In a preferred embodiment, when astart of page frame is sent/received, both sending and the receivingdevices will generate an interrupt, whence the sender will insert thevalue in the Mask Synch & Page Counter 320 read on the Synch Num Outword. Typically an Internet receiver will evaluate the count number tosee if the Frame arrived in the proper sequence, by XORing the receivedcount value, with the value in the receiver's Counter.

In preferred embodiments in mass storage devices containing streamenciphered long files, a running key for mid word sections of the filemust be prepared. (An unsavory alternative would be to establish andsave and use a unique secret running key for each mid section.) As theZK-Crypt can generate a 32 bit mask at each system clock cycle, thisproblem is essentially averted with the built in Single Step Synch toTarget and Multi-Step Synch to Target commands, see FIG. 3, whichautomatically step the ZK-Crypt from the formal first word of theencrypted file, using the secret key known to the encryptor anddecryptor, generating (but typically not using) mask after mask up tothe targeted mid file word mask, at which step it generates a Synched toTarget Interrupt. Typically the Mask Synch and Page Counter 320 dataoutput is ported to the host, and can be read and transmitted at will.The Equality Logic Array 330 generates the Synched to Target Interrupt,when the value in the Counter 320 is equal to the value in the 32 bitSynch and Page Register 310.

A serious problem, unique to stream ciphers, is the necessity ofgenerating, distributing and/or saving an unpredictable secret key foreach new data set. This is necessary, as an adversary who has access toa cipher text and the clear text source, can XOR the each successivecipher/plain text word pair and learn the encrypting sequence which wasgenerated by the given secret key. (Note, it would be intractable toextract the key.) Methods for deriving secret keys from key pairs knownto sender and receiver, using a 32 bit word sent in the clear are easilydevised; e.g., increment an index; XOR the new index number to theoriginal secret key, and exercise the ZK-Crypt S sample cycles using theWait and Sample function, with Delay Counter set to D cycles ofexercising the tiers, (1<D<16) in a Feedback mode to establish a newrunning key; knowing that the increment is well diffused into the newinitial condition running key.

In preferred embodiments, a target word is loaded into the target store310 the 32 Bit Synch and Page Target Register, wherein the LS bit sitsin the left-most cell. From 4 up to 10 LS bits of the of the target worddefine the LS bits of a start of a page, e.g., 8 bits define 256 wordpages; a Page Equality 3 bit input word set to 110₂=6₁₀ addressingmultiplexer 340, defines an interrupt every 512 encrypted words.

Synch Count, when enabled, see FIG. 3, increments the Mask Synch andPage Counter 320 at each instant that a new Mask is Sampled, see FIGS.1,2,7, and 14.

Logic in Equality logic Array 330 outputs 7 flags to multiplexer 340signaling page lengths of 16 to 1024 thirty-two bit words. TheMultiplexer 340 is operative to select which, if any of the flagsgenerates an Interrupt. Interrupt flags are typically generated at thebeginning of each page, preferably, both in the encryptor and decryptor.

In many instances the encryptor and decryptor are the same entity,wherein the encryption device is embedded in a secured environment,operative to encrypt and store large files of data in an insecurestorage device. At the header of each large encrypted file of data, thedevice typically stores an encoded equivalent of the secret initialcondition key.

DT6 Activating Tier Clock & Selecting Tier Slip & ODDN XORing

FIG. 6 is a simplified block diagram depicting the integration of thetop, middle and bottom control units, see FIG. 8, operative to activatetiers randomly, singly, or in groups; to select ODDN complementors, andto emit slip displacement pulses to left or right hand nLFSRs of the 3tiers, and also to aberrate the stage sequence of the 5 cell nLFSR inthe (P)Random Clock Generator of FIG. 4.

The central Control of Aberrations 500 of the Register Bank 30 and theData Churn 50, in FIG. 2, consists of three control units, described inFIG. 8. Each of which randomly, on an average of about one in 11.3Primary clocks (one in 9.5 (P)Random clocks), is operative to generateeither a Left or Right Slip pulse, and once in 19 (P)Random clocks, tosimultaneously complement the Control Flip-flop output, see 530 in FIG.8.

The Slip Encoder 550 pseudo-randomly combines the pulse signals, suchthat Slip pulses are transmitted simultaneously to all three tiers. TheRight Hand Slip pulse causes a slip in the 5 cell nLFSR of 210 FIG. 4.

When regulated in the Random Brownian mode, the TOP, MID and BOT BROWNsignals are operative to seemingly randomly toggle the pseudo-Brownianpermutations in the Top, Middle and Bottom tiers. (See Rotate and XORTier Output Word for a software “friendly” alternative to thepseudo-Brownian displacement function.)

The three Control Flip-flop outputs address a multiplexer in the TierSelect and Clock Controller 540. The Controller 540 is operative whenactivated by the En Single Tier Select. When a tier (120, 130 or 140) isselected, each Primary Clock pulse activates a stage change in theselected nLFSR. When the En Single Tier Select is not activated, theHost 10 optionally selects which single tier, typically for test, orwhich combination of tiers, are activated by the Primary Clock.

The three unbiased Top, Mid and Bot ODDN Select complement vectordrivers emanating from enabler 560 are the unbiased Control Configsignals from the control units 500. Together they randomly complement 31of the 32 Hash Matrix outputs. (The number 4 bit out put of the HashMatrix is randomly toggled by AND gate 224 of FIG. 4). The triplet ofODDN selectors 560 is typically disabled by the Enable ODDN Selects forhardware testing.

DT7 Omnibus Combiner with MAC

FIG. 7 is a simplified diagram of the data processing modules driven bycontrol devices of FIGS. 3, 4, 5, and 6, showing the devices with memorywhich are shifted, and aberrated randomly, or are combined, sampled andstored.

The three tiers, 120, 130 and 140 each consisting of two unique nLFSRsand a pseudo-Brownian filter are each a slightly biased pseudo-randombinary sequence generator, operative to change state in random turn orin tandem to produce a combined word, in Tier Combiner 49 to be inputinto the Hash Permutation Matrix 50. The 13 bit nLFSR residing on theLeft Hand side of the Top Tier of the Register Bank is described in FIG.11. The general configuration of all six nLFSRs is similar; they aredifferentiated by the number of cells, and the feedback taps. Likewise,the general configuration of the three tiers is similar; beingdifferentiated by the pairs of nLFSRs, and the pseudo Brownianpermutation vectors. The Top Tier 120 is described in FIG. 12. The ThreeTier Combiner 49 consists of the equivalent of 32, 3 input XOR gates,operative to combine each of the bits, from the LS to the MS of thethree tiers. in the 3 tiers combiner 49 is a passive logic array,combining the present outputs of the three tiers. The outputs of thetiers are active (not 3-State) even when a particular is or is notclocked.

Hash Matrix

The Hash Permutation Matrix with ODDN Permutations 50 is described inFIG. 9. There are four Hash displacement vectors, one of which is adirect one to one output (no displacement) of the XOR combiner 49. TheODDN vectors of XORs are each an odd number of XOR gates, operative tobe non-bias activated by the Controls of FIG. 6 and to randomly assurethat the output of combiner 49 are not 32 bit even number strings, ENSs,each containing an even number of ones.

The Correlation Immunizer, Intermediate Store and non-Linear Combiners,of 170 and 170B, with embodiments described in FIGS. 15A, 15B, 16A and16B are designed to receive a balanced distribution input and toincrease the degrees of correlation immunity and non-linearity of theoutput strings.

Depending on the mode of operation, the output word of the combiners 170or 170B, is a (P)Random Mask, and is typically the RNG output, when theMessage word input into message combiners 190 or 190B is all zeroes; oris the “running key” mask for SCE encryption or decryption; or thedigest mask or an intermediate diffused signature variable for MessageAuthentication. In preferred embodiments, programmers optionally furthermask the RNG output of 170 or 170B with an arbitrary message word inmessage combiner 190. Feedback unit 400 consists of multiplexers 405 todirect the input to the Feedback Combiner and Store 410. Combiner 410'scircuitry is typically similar to Combiner 170's circuitry described inFIG. 15.

The three tiers, 120, 130 and 140 are activated when selected by thePrimary Clock. Only the Intermediate and Feedback Stores are activatedby the Sample pulse, synchronized to the Primary Clock.

DT8 Control Unit

FIG. 8 is a simplified functional block diagram describing the Top,Middle and Bottom control units 510 operative to drive the tier selectsand clock control, the ODDN switches, and the Slip Encoder of FIG. 6.The architecture of the three control units is basically the same,differentiated essentially only by the structure of the three differentlength many to one nLFSRs 512; (a.k.a., extended length LFSRs, as theall zero stage is now a valid stage in the FSR sequence).

The two internal random triggering devices in the Control Unit are the3, 5, and 6 celled nLFSRs, 512 implemented in the TOP, MID and BOTControl Units, respectively; and the Random up-Counter 515 which callsfor a Slip on the average of once every 9.5 (P)Random Clocks. The randomnumber of clocks between pulses is a function of the status of threecells of the relevant nLFSR 512, and the feedback from the MS output ofthe relevant TOP, MID or BOT Tier MS cell.

When the 4 bit Counter 515 triggers at count 15, a Right Hand Slip Pulseis emitted to 500 in FIG. 6, if the MS cell output of the relevant nLFSR512 is a zero; if at the trigger instant, the output of the MS celloutput is a one, a Left Hand Slip Pulse is emitted, and also the CONFIGFF 530 changes polarity.

When the Brownian function 525 is enabled and the ALWAYS BROWNIAN flagis a one, each tier's outputs are auto-XORed with a permuteddisplacement vector, see FIG. 12. If RND BROWNIAN is enabled, the tier'sBROWN function flag 525 is randomly toggled by an output of an internalflip-flop of an nLFSR 512. Bits from the Control Word are loaded intothe Control Unit, after Cipher Reset, by the Control Preset Word Loadcommand from the Host. For low cost software deployment, and lowestcurrent consumption hardware implementations, typically, thepseudo-Brownian function is disabled, with the Disable/En Brownian Hostsetting, or the pseudo-Brownian function is replaced by the Rotate andXOR Tier Output Word.

DT9 Random Hash with ODDN Permute

The Displacement 52 and Odd Number Complementing Permutation Togglers 57in FIG. 9 show the permutations on the 3 tier XORed word directed by theJohnson Counter Random Stepper 54 of FIG. 10, and the ODDN Selectors 560from the integrated controller of FIG. 6, and the ODD4 Toggle from ANDgate 224 of the (P)Random Clock of FIG. 4.

At each Host prompted Sample command, the Johnson Stepper randomlyactivates a different displacement permutation vector, A, B, C or D,which redirects the inputs from the 3-tier XOR Combiner 49. Each inputbit, Ixx is directed to an output bit, Aaa, Bbb, Ccc or Ddd, wherein theD Vector is a straight through same location output. For example, whenthe B Vector is activated, input bit I15 is directed to the 21'st outputbit; when the A vector is activated, the I11 input bit is connected tothe 25'th output bit. The D vector which does not change the bitorientations and is useful for testing/reading the outputs of theRegister Bank.

The ODDN selectors are all unbiased permutation complementors, whereinall combinations of the four selects are equiprobable, and circuitdiagram 57 is self explanatory. Each ODDN vector complements an oddnumber of bits, thereby converts an ENS to an ONS, or an ONS to an ENS,and complements 9 or 13 bits of the Matrix permutation. The ODD4 Togglesthe bit 4 only. Note that the different selection lines of block 57correspond to different selectable permutation vectors for permutationunit 50.

DT10 Hash Matrix Random Johnson Stepper

FIG. 10A is a block diagram explaining the mode of operation and theapparatus of the preferred embodiments for random joggling of HashVectors A, B, C, and D. FIG. 10B is a state diagram depicting theoperation of the joggled Johnson Counter Random Stepper operative toactivate the Hash vectors of FIG. 9 in RNG, SCE and MAC modes.

Johnson Counter

A conventional Johnson n Counter is an n-celled shift register, where a“1” rotates from left to right and wraps around interminably. For thedeterministic functions, SCE and MAC, the initial condition of thecounter 54 is set by the Load Cipher Control Word command, wherein thetwo bits of the Control Word initial condition is decoded by 54B, to asingle moving of the single “1” at each Sample command.

As it is typically beneficial to initiate the RNG mode with allflip-flops in a random state, circuitry has been implemented to forcethe counter to the 0001 stage, if more than one flip-flop in the Counter54, 54C of the state diagram, is a “1”, F=1; or if the counter is in theall zero state, E=1, and a zero is “forced” into the LS, A bit of theJohnson counter 54. This Self-Start assures that only one Hash vector isoperative at a Sample cycle.

Note that stage 55A activates the A Vector, 55B the B Vector, 55C the CVector and 55D activates the D Vector. At every clock, if the JuggleHash Toggle signal, V, from FIG. 4 is “0”, then the bit in55D→(progresses to) 55A, 55A→55B, 55B→55C, 55C→55D, 55D→55A . . . etc.However if V=1, then (as J will be “1”), 55A and 55C are “Juggled” suchthat, 55A→55D, and 55C→55B, as is illustrated in 54A.

DT11 One to Many 13 Bit nLFSR

FIGS. 11A and 11B show the typical architecture of a Multiple ReturnnLFSR, a.k.a. One to Many nLFSR 760; operative to be loaded with InitialConditions from a Host 10 in circuit 750; operative to accept a stagemodifying Left Slip bit from FIG. 6; operative to receive optionalFeedback from Feedback combiner 400, FIG. 14, into XOR vector 740, andenhanced with the NOR extension 770, to assure a balance of ones andzeroes. All 6 nLFSRs, two in each tier, are based on the samearchitecture, the only difference being the number of cells in theRegister, and the Feedback configuration. Components of the FeedbackRegister 720 are detailed in FIG. 11B.

In the Many-to-One configuration of 760, the feedback assembly 730regulates the serial feedback bit. The F_(B) nLFSR feedback is an XOR ofthe random Left Slip pulse from FIG. 6; the output of the NOR gate 770;and the output of the MS cell 785 the last being the most active of thethree signals. The signals are NXORed in gate 775 to generate thecomplement of the Feedback signal, F_(B). NOR gate 780 negates the F_(B)when the Host 10 loads the Top Cipher Word, fed into NXOR vector 740during the Enable Top Cipher Word command from the Host.

Avoiding “Stuck on Zero”

Normal LFSRs “get stuck on all zero”, when all cells of the register areat Zero value, and the MS cell cannot generate a “1” value, to generatea normal sequence. If the all zero value is not included in the totalsequence, then a “surplus” of n (the number of cells in the LFSR) onesappear in the resultant full string of 2^(n-1) bits.

When NOR gate 770 senses that the 12 LS cells outputs are all zeroes NORgate 770 generates a one. Normally, the first instant of sensing 12zeroes, is when the MS cell outputs a one, so that the Feedback bit willbe a zero, fed back into the LS cell, operative to cause an all zeroparallel output of the Register 720. At the next clock cycle, the MScell outputs a zero, and the NOR gate 770 again senses 12 zeroes andoutputs a one, thereby causing a One to Many “1” feedback, into thefeedback taps following cells 2, 3, 5, 8, and 9. (The MS cell's outputis also considered a feedback tap.) At this second clock shift, cells 0,3, 4, 6, 9 and 10 will be complemented to one.

All nLFSRs in the ZK-Crypt are “maximum” length, as all of the 2^(n) bitpossible words exist in a normal uninterrupted 2^(n) sequence and aretherefore equiprobable.

Note that nLFSR cells are numerated from the LS bit “0” on the left tothe MS bit “n−1”, on the right.

The feedback signal taps into the TOP tier left hand 13 Bit nLFSR andthe right hand 19 bit nLFSR and are XORed at the input/output juncture,e.g., 7616 in 7000, of the following cells:

2, 3, 5, 8, 9 and nominally 12; and 1, 3, 5, 7, 8, 9, 11, 14, 16 andnominally 18; respectively.

The feedback signal taps into the MID(dle) tier left hand 18 Bit nLFSRand the right hand 14 bit nLFSR and are XORed at the input/outputjuncture of the following cells:

2, 4, 6, 7, 10, 11, 12, 13, 15 and nominally 17; and 1, 4, 5, 8, 10, 13and nominally 13; respectively.

The feedback signal taps into the BOT(tom) tier left hand 15 Bit nLFSRand the right hand 17 bit nLFSR and are XORed at the input/outputjuncture of the following cells:

0, 1, 5, 6, 10 and nominally 14; and 1, 4, 7, 9, 10, 12, 13 andnominally 16; respectively.

In FIG. 11B, the three typical cells common to the six nLFSRs aredepicted. The LS cell, left hand cell, around D flip-flop 7200 isoperative to receive the Feedback signal during normal operation, viaNAND gate 7210, which receives the complemented F_(B) (by the inactivecomplemented MAC feedback via XOR 7215 FIG. 11A). When the TOP CipherWord is loaded, the Enable Cipher Word command, selects the vector 750,FIG. 11A, and disables F_(B) in gate 780, so that gate 7210 is operativeto receive the LS Cipher preset bit, relaying I₀ to the Data In (D₀)input of 7200. When the Host selects a Cipher word, the Host issues aLatch Cipher Word pulse via OR gate 7220, which “clocks” the register720 flip-flops, thereby latching in the initial Cipher word.

The cell pair 7000 is detailed in FIG. 11B which characterize all nLFSRcells in the Register, (with the exception of the LS cell detailedabove). The left hand number 2 cell input is not operative to receivethe nLFSR feedback, F_(B) in XOR gate 7615 and the right hand cell isoperative to receive the output from Q₂ of flip-flop 7202 XORed to F_(B)via 3 input XOR gate 7616. NOR gates (shown here) 7605 and 7606 areoperative to disable the normal data shift in shift register 720, duringloading of the Cipher Word.

NAND gates 7503 and 7513 from input vector 750, FIG. 11A, when selected,relay 12 and 13 input values into NXOR gates 7403 and 7404.

The MAC Feedback value is complemented, when the MAC feedback is active,and is FFFF otherwise.

Output Q₁₂, from the MS flip-flop is a random input into the MiddleControl Unit's Counter 515 shown in FIG. 8.

DT12 Top Tier XORed FRW-REV Brownian

FIG. 12 is a mapping of the Top Tier 120 with concatenated 13 and 19 bitnLFSRs, see FIG. 11, with output X vector 820, scrambled thepseudo-Brownian Y vector 840, with local controls, MAC Feedback vector430, and the Cipher Key Word Load word from the Host 10. Thearchitecture of the Top Tier 120 is identical to the architecture of theMiddle Tier 130, and the Bottom Tier 140; the difference being thefeedback configuration of the nLFSRs, described in the previous section,and the Pseudo-Brownian vectors, described in the Glossary.

Initial key values, necessary for the deterministic functions, the SCEand the MAC, are downloaded from the Host 10 after Cipher Reset, andlocked in place with the Cipher Preset command, for key lengths of 128and less. Maximum length key loading is typically accomplished using theMAC Feedback mode wherein at least ten 32 bit key words are digestedafter Cipher Reset, and prior to the Cipher Preset command, to establishinitial conditions in the native and obscure internal variables.

Tiers are “clocked” subject to the mode strategy. In the preferredSingle Step mode, a seemingly random tier is stepped on the same clockas a Sample. In other preferred embodiments the three tiers aresimultaneously activated.

Using the Wait and Sample command, either single tiers are randomlyactivated or all three tiers are activated for a predetermined number ofcycles prior and while the last clock executes the Sample.

The nLFSRs in the One-to-Many configuration, when observed at eachshift, have a “feeling” of movement from left to right, disturbed,randomly when a feedback complements “betwixt” XOR gates. Tests detecteda correlation between the output and the movement. Past practice hasrevealed that the Slip displacement command occasionally causes a smallbias on one or two of the output bits. XORing two slightly biased bitsasymptotally removes the bias close to nil, whereas if one of the bitsis unbiased, the result is totally unbiased.

The Pseudo-Brownian vectors of the three tiers were engineered to have amapping of two to one or four to one. e.g., if all of the 2³² 32 bitvalues which are equiprobable on the X vector are XORed to the Y vector,there will be 2³¹ (2 to 1 mapping) or 2³⁰ (4 to 1 mapping) different Rvector results, each appearing twice or four times respectively, in thefull sequence.

Random (1 to 13 bit) clusters of input vector X, 820, reverse theirdirection, e.g., cluster (x₂₀, x₂₁, x₂₂, x₂₃) becomes “mirrored” cluster(y₂₃, y₂₂, y₂₁, y₂₀), wherein these mirrored clusters are disbursedrandomly, in Y, such that a pseudo single “backward” orienteddirectional random Brownian type motion flows in the reverse directionto the forward oriented moving bit values in the nLFSRs. This neworientation effectively decreases the correlation between the input (theconcatenated output of 710 and 810) and the XORed in 850 output of 820and 840, e.g., bits 12 to 19 from Vector X are mirrored and are bits 00to 08 of Vector Y, such that:

bit y₀₀ is XORed to bit x₁₉;

bit y₀₁ is XORed to bit x₁₈;

bit y₀₂ is XORed to bit x₁₇;

bit y₀₃ is XORed to bit x₁₆; etc. into vector output R.

The Y vector of 120 is activated when the Top Brown command from FIG. 6is a one, wherein the NAND vector 845 complements the Y vector value.The NXOR vector 850, outputs the true value of R=X⊕Y, when the 845 isactive, else, R=X. R is always a valid string and XORed to the resultvectors of the Middle and Bottom tiers 130 and 140 of FIG. 2,irrespective if the tiers are clocked or static.

DT13-DT14

FIG. 13 is a state diagram depicting the stages of a preferredembodiment of the Message Authentication Coding apparatus and method ofthis invention.

FIG. 14 is a block diagram of the interacting modules configuration in aFeedback mode, the most important of which is the MAC validation modecharted in the sequence of FIG. 13.

The Blocks, E_(j) depict the state of the ZK-Crypt Engine 18 atinstances j. At initialization state, E_(init), typically the RegisterBank and the Obscure variables are set to a typically standard systemcondition.

Secret-Key MAC Signatures

For secret keyed authentication, wherein, a secret key initial conditionis known to the Host 10 of Engine 18 and typically, only the Host and/oranother device are privy to the secret key, and are able to authenticatea secret keyed MAC signature.

For a system standard keyed authentication, wherein, the system keyinitial condition is known to the Host 10 of Engine 18 typically, anysame system Host is privy to authenticate a system keyed MAC signature.

In a preferred embodiment Engine State, E_(init), 15-I, the initialcondition in 18 is achieved typically by:

a) executing the Cipher Reset Command to reset or set all flip-flops toa known value,

b) setting the Sample Delay Vector to equal the number of Register Bankactivations to be exercised between authentication digests, whenoperated in the Wait and Sample mode of operation,

c) optionally loading the native variables in the control word (shown inFIG. 2) and the 3 tiers, 30, optionally only Cipher Reset and CipherPreset are sufficient to initialize MAC variables,

d) setting the engine to MAC Feedback mode activated by MUX A, 410 todiffuse the bits of the Message word via the Feedback Loop, into theFeedback Store, and into the native and obscured flip-flop variables,

e) enable the Synch Counter,

f) for maximum diffusion, disabling Single Tier Select, enable TOP, MID,and BOT TIER ALWAYS, FIG. 6 or optionally, for lower power consumption,enabling Single Tier Select which is operative to randomly activate(clock) tiers, (only a clocked tier inputs Combiner 440's output),g) execute a Cipher Preset, operative to Reset the Synch Counter and tolatch in the Sample Delay Vector, to latches in an initial word intoCombiner 170,h) move the header word, x_(hdr), into the Host message port, forx_(hdr) to reside in message combiner 190, Di in the drawings, theheader word, x_(hdr), typically includes the value m, the number ofwords in the message,i) execute a Sample or a Wait and Sample command to finalize E_(init);wherein the Message word is XORed to the Mask output of the IntermediateCombiner 170, outputting internally y_(hdr) via MUX A 410 into the datainput of Feedback Store and Correlation Immunizer 440 of FIG. 14 to besampled at the next step, via Feedback vector output 430 and diffusedinto the active tiers or tier in the Register Bank 30.

Block 15-M is the message digest phase, where at each state from E₁ toE_(m):

a) message words from x₁ to x_(m) are moved to the Host output port

b) at each word, either of the Sample or the Wait and Sample command isexecuted, operative to diffuse each MAC Feedback word into the RegisterBank, into the Intermediate Combiner and into the Feedback Combiner.

Block 15-T is the tail digest phase wherein the tail word, x_(t)typically includes the value m which can be read on the Synch Num OutHost input vector from the Mask Synch and Page Counter, 320, FIG. 5,whence:

a) message word x_(t) is moved to the Host output port,

b) a single Sample or Wait and Sample command is executed, operative todiffuse the tail word into the Feedback Combiner then:

at the first step of the MAC Signature phase, 15-H:

a) reset the Host output port, (to zero the Message input, D_(I), inmessage combiner 190), then for n steps,

b) execute a Sample or a Wait and Sample command to generate n MACSignature words, H₁ to H_(n), to be read by the Host on the Data Resultsoutput, FIG. 14, from the Intermediate Combiner 170, outputting internalsignature words via MUX A 410 into the data input of Feedback Store andCorrelation Immunizer 440 of FIG. 14 to be sampled at the next step, viaFeedback vector output 430 and diffused into the active tiers or tier inthe Register Bank 30 to attain maximum diffusion of the Message digest.

In the preferred Message Authentication Coding embodiments, the numberof 32 bit digested words is included in the header word, x_(hdr) of thedigest, and in the last tail word x_(t), wherein x_(t) is generated bythe Mask and Page Synch Counter, regulated by a fixed or frozenprotocol, to automatically read the Mask and Page Synch Counter output,diffusing said count value into the native and obscure variables,thereby limiting the number of the number of collision combinations thatan adversary is typically capable of generating.

Multiplexer A inputs a Hash digest (including the Message Word) for MACmode feedback, and is an option for additional RNG complexity.

Multiplexer B, is typically useful for adding complexity to SCE militaryencryption, and/or for added complexity for random number generation.

DT15 & DT16 Single/Dual Saved Carries in Non-Linear Combiners

FIGS. 15A, 15B, and 16A and 16B are block and circuit diagrams depictingcorrelation immunizing and non-linear combiners, found in preferredembodiments of the Intermediate Combiners 170 and 170B and optionally inthe Feedback combiner 440. The simplest non-linear function is the ANDproduct of two binary digits, x₁ and x₂, equal to x₁x₂. In the preferredembodiments the carry bits quickly become high order time dependentnon-linear variables. Each carry saved input, standing alone, has a 25%probability of complementing one of the input XOR sums of Hash/ODDNoutputs X0 to X31 of FIGS. 15A, 15B, and 16A and 16B; the sum consistingof the two last X_(j) bits.

FIG. 15 is a combiner with memory and a pseudo half adder single savedcarry interaction. FIGS. 16A and 16B depict a pseudo three input fulladder with double carry save.

FIG. 15 demonstrates a preferred embodiment for combining unbiasedbalanced distribution Sampled L bit length binary words, at Sampleinstants t=0 to t=i, wherein the input bit to the T_(j)'thinterconnected transformation cell, at Sample time, m, X_(j(t=m)), ispermuted to transmit a product carry bit, C_(j(t=m)) to theT_(j-1 mod L) transformation cell, operative to output Y_(j(m)), of them'th output word, with correlation immunity in the concatenated stringsense, and increased non-linearity comprising:

inputting a sequence of seemingly random words into the transformationcells, wherein at the i'th word instant, inputting the assumedstatistically unbiased bit X_(j(t=1)), into the j'th bit location wherethe bit memory cell, T_(j), which stores the previous X_(j(t=i-1))'thbinary value XORed to the previous input product carry bit,C_(j+1(t=i-1)), from the T_(j+1)'th, previous cell to be XORed with theX_(j(t=i))'th value to produce the Y_(j(t=i))'th output transform of thei'th input word, and to generate the product carry out bit C_(j(t=1i))to be transmitted to the T_(j-1)'th cell, where the carry out bit,C_(j(t=i)), is the product of the stored value,C_(j+1(t=i-1))+X_(j(t=i-1)), and the present input value X_(j(t=i)) sothat for positive j and t values, j=j mod L and t=t mod L:Y _(j(t=i)) =X _(j(t=i))+(X _(j(t=i-1)) +C _(j+1(t=i-1))),where the carry from the right hand cell, C_(j+1(t=i-1)), at theprevious instant is:C _(j+1(t=i-1)) =X _(j+1(t=i-1))(X _(j+1(t=i-2)) +C _(j+2(t=i-2)))and where i≧3, typically after the initialization procedure:

${\begin{matrix}{C_{j + {1{({t = {i - 1}})}}} = {{X_{j + {1{({t = {i - 1}})}}}\mspace{14mu} X_{j + {1{({t = {i - 2}})}}}} + X_{j + {1{({t = {i - 1}})}}}}} \\{{C_{j + {2{({t = {i - 2}})}}}.} = {{X_{j + {1{({t = {i - 1}})}}}\mspace{14mu} X_{j + {1{({t = {i - 2}})}}}} + X_{j + {1{({t = {i - 1}})}}}}}\end{matrix}\mspace{155mu}\left\lbrack {X_{j + {2{({t = {i - 2}})}}}\left( {X_{j + {2{({t = {i - 3}})}}} + C_{j + {3{({t = {i - 3}})}}}} \right)} \right\rbrack};$and for the general case where i≧3:Y _(j(t=i)) =X _(j(t=i))+(X _(j(t=i-1))+{(X _(j+1(t=i-1)) X_(j+1(t=i-2)))+X _(j+1(t=i-1)) [X _(j+2(t=i-2))(X _(j+2(t=i-3)) +C_(j+3(t=i-3)))]}wherein all X_(k(t≧0)) binary values are assumed unbiased, such that theprobability of a “1” product of z random X_(k(t>0)) values is 2^(−z).The probability of a “1” carry-in binary bit is obviously ¼, but doesnot change the statistics of the probability of the output bit; but doescontribute increasingly high order non-linear variables.

The Carry rule for FIG. 15 is simply, Carry C_(j(t=i-1 mod 32)) is inputinto cell T_(j-1(t=i mod 32)) and is summed to input X_(j(t-i mod 32)).

In the Double Carry configuration of FIG. 16, Carry C_(j) is input intoboth T_(j-1 mod 32) and also to T_(j+3 mod 32).

Noting that the conventional sign ⊕ is used for XOR, and the plus (+)sign for OR, Y_(j(t=i)), X_(j(t=i)) and C_(j(t=i)) are the j'th bitvalues at the i'th Samplings the output, the input and the internalcarry outputs, respectively and:

Y_(j(t=i))=X_(j(t=i))⊕+(X_(j(t=i-1))⊕+(Sum of Carries) where the:

Sum of Carries=(C_(j+1(t=i-1))+C_(j-2(t=i-1))). The probability of theSum of Carries, affecting the output of Y_(k(t=i)), for all balancedX_(k) inputs is the probability of the Sum of Carries being a “1”, wherethe probability of a “balanced” carry bit being “1” is 0.25:

Probability Probability Proba- Proba- of of bility bility 4-(C_(i) +C_(j)) i'th j'th Output of a “0” of a “1” Samples input input Bit_(i) +Bit_(j) Output Output 0 + 0 0.75 0.75 0 0.5625 0 + 1 0.75 0.25 1 0.18751 + 0 0.25 0.75 1 0.1875 1 + 1 0.25 0.25 1 0.0625

Therefore the average that the Sum of Carry's output will be a “1” bitand will complement the exclusive OR sum of the input bits is typically0.4375.

The combiners of FIGS. 15 and 16, 170 and 170B each consist of 32 T_(xx)cells, T₀₀ to T₃₁. The circuits of cells 900 and 900B are depicted inFIGS. 15B and 16B. In 900 the complement of Carry bit from T₀₃ is inputto NXOR gate 930 and in 900B the complement of Carry bit from T₀₃ andthe complement of Carry bit from T₃₁ is input to NXOR gate 930B. When aSample pulse activates flip-flops F02, in FIGS. 15 and 15B, the outputsof 930 and 930B respectively are the new outputs at the respective Qoutput of the F02 flip-flops. At the sample instant the next binaryvalue X₂ and the Q output are XORed by 940 and 940B to generate a new Y₂output. The Complemented Carries 920 and 920B are input into the T01cell, and the Carry 920B is also input into the T05 cell.

The Intermediate Store combiners 170 and 170B, serve as the RNG outputand the Mask for SCE, and also as the Feedback store combiner,principally for the MAC.

The original design, before adaptations for software implementations,specified combiners 190, FIG. 2 and feedback store, 400 without thecarry save signals. Such units passed the DieHard suite testsexceptionally well. When the simple combiner was replaced the 400correlation immunizing combiner, the DieHard results wereunsatisfactory. In preferred embodiments combinations of modules aretypically chosen to be compliant with DieHard, typically with theknowledge that the input to the correlation immunizers had a high levelof uncertainty.

It is appreciated that the particular embodiment described is intendedonly to provide a detailed disclosure of the present invention and isnot intended to be limiting. It is also to be appreciated that theparticular embodiments may be implemented in desired combinations ofhardware, software and firmware.

1. A random number generating system for generating a random output wordsequence and comprising: a register bank having a first plurality ofregister tiers each comprising at least one non-linear feedback shiftregister (nLFSR), wherein, in each of a multiplicity of iterations, atleast one of said tiers generates: a first word which replaces any firstword generated by that tier in a previous iteration, a second wordcomprising a displacement of said first word, and a third wordcomprising an XOR of the first and second words, and an output wordcomprising a selected one of the first and third words; a combinerwhich, in each iteration, receives said output words generated by thefirst plurality of tiers and combines said output words into a singlebinary word; and a data chum receiving said single binary word generatedby said combiner and operative, other than in at least one initialiteration, to generate a data churn output word comprising an XOR of aninput word, which is a function of said single binary word, with thedata churn output word of a previous iteration.
 2. A system as in claim1 and also comprising at least one tier-associated random numbergenerator randomly determining whether a corresponding tier from amongsaid first plurality of tiers does or does not generate a first word toreplace a first word from a previous iteration.
 3. A system as in claim1 wherein said data churn comprises at least one hash displacementmatrix operative to scramble a function of said single binary wordreceived by said data churn.
 4. A system as in claim 1 wherein, otherthan in at least one initial iterations, said data churn output wordgenerated by said data churn comprises an XOR of said input word, saiddata churn output word of a previous iteration, and a nonlinearcombination of at least a portion of said data churn output word of theprevious iteration.
 5. A system according to claim 1 wherein said inputword XORed by the data churn comprises, in at least one iteration, saidsingle binary word received from said combiner.
 6. A system according toclaim 1 and wherein said data churn is operative to perform a streamciphering function by XORing said data churn output word with a messagethereby to generate a message-XORed word.
 7. A system according to claim1 wherein said data churn is operative to perform a messageauthentication function by: XORing said data churn output word with amessage, thereby to generate a message-XORed word, and feeding saidmessage-XORed word to at least one tier and wherein said tier isoperative to generate said first word, in at least one iteration, as afunction of said message-XORed word.
 8. A system according to claim 1wherein, in at least one iteration, said data churn is operative to feedsaid data churn output word into at least one tier and wherein, in atleast one iteration, said tier is operative to generate said first wordas a function of said data churn output word.
 9. A system according toclaim 1 comprising at least two random processes including a firstrandom process which decides whether an individual tier generates a newfirst word in an individual iteration and a second random process whichdecides whether the output of an individual tier comprises its firstword or its third word, wherein said system comprises at least onerandom clocking device driving said random processes.
 10. A system as inclaim 9 wherein the at least one random clocking device is activated byan autonomous unpredictable oscillator.
 11. A system according to claim1 wherein said data churn comprises a second plurality of toggle signalswhich each, in at least one iteration, respectively toggle a respectivenon-overlapping subset of a set of bits which is a function of the inputword, thereby to generate a toggled word, and wherein said input wordXORed by the data churn comprises, in at least one iteration, saidtoggled word.
 12. A system as in claim 11 and also comprising a secondplurality of random toggle signal generators randomly generating saidsecond plurality of toggle signals.
 13. A method for generating a randomoutput word sequence, the method comprising: providing a register bankhaving a first plurality of register tiers, each comprising at least onenon-linear feedback shift register (nLFSR) and generating at least oneoutput word, wherein, in each of a multiplicity of iterations, at leastone of said tiers generates: a first word which replaces any first wordgenerated by that tier in a previous iteration, a second word comprisinga displacement of said first word; a third word comprising an XOR of thefirst and second words, and an output word comprising a selected one ofthe first and third words; combining said at least one output wordsgenerated by the first plurality of tiers in each iteration, into asingle binary word; and other than in at least one initial iteration,generating a data churn output word comprising an XOR of an input word,which is a function of said single binary word, with the data churnoutput word of a previous iteration.